Allure 2 XML External Entity Vulnerability in JUnit and TRX Plugins Allowing Arbitrary File Read and SSRF

A critical XML External Entity (XXE) vulnerability has been identified in Allure 2, specifically in the xunit-xml-plugin, trx-plugin, and junit-xml-plugin, all prior to version 2.34.1. The vulnerability arises because the plugins do not properly configure the XML parser, allowing external entity expansion when test result XML files are processed. This flaw enables attackers to read arbitrary files from the file system and potentially execute server-side request forgery (SSRF) attacks. The issue has been patched in Allure 2.34.1.

Impact

Exploitation of this vulnerability can lead to arbitrary file disclosure and server-side request forgery. Such actions can be performed silently, without user interaction, especially if the tool is automated within an application, allowing the exploitation to go undetected with a carefully crafted payload. This poses a significant risk when the tool is used in a CI/CD pipeline, as it could enable a malicious actor to access sensitive information such as API keys, product secrets, or internal URLs.

Reproduction

To reproduce this vulnerability, install Allure command-line version 2.34.0 or earlier. Create a directory for the report and a malicious XML file that exploits the XXE vulnerability by including a reference to an external entity, such as a file containing sensitive information. After writing the payload, place the XML file in the appropriate directory and run the Allure command to generate the report. Once the report is opened, the executed payload can be confirmed by checking the response in the report's categories.

Remediation

Users can update to Allure version 2.34.1 or later, where this vulnerability has been patched.