Thanks for submitting your first issue, we will have a look as quickly as possible.

It seems there are indeed some issues. One of these is that you are required to have passed lesson 2 before lesson 7.
I'll need to take a deeper look into this

I can have a look, I have a branch were I started to write up the solution.
Did not know it will pass as well with a normal zip file :-)

I experience the same issue with webgoat-8.2.2

The goal is to somehow override /WebGoat/images/account.png

I don't think it is. That file is not in the profile directory (~/.webgoat-8.2.2) but part of the webserver.

I have found this seemingly-related function which weirdly enough doesn't seem to get called at all:

webgoat.customjs.profileZipSlipRetrieval = function () {
    $.get("PathTraversal/zip-slip", function (result, status) {
        document.getElementById("previewZipSlip").src = "data:image/png;base64," + result;
    });
}

The question remains - where should the uploaded picture go to ? The challenge is marked as finished sending any zip file.

Page 8 of the lesson shows that the solution is about overwriting:

.webgoat-8.2.2/PathTraversal/testuser/testuser.jpg

but uploading that didn't work for me and the profile picture remained the same.

Also the java fix code shown in the solution seems abrupt:

File profilePicture = new File(uploadDirectory, e.getName());
if (profilePicture.

One of these is that you are required to have passed lesson 2 before lesson 7.

That is related to the reuse of the same directory. The Zip Slip lesson now cleans the directory before processing the upload of the zipfile.

Closing as we released 2023.3