JUnit Open Test Reporting Git Credential Leak Vulnerability

A vulnerability in JUnit's Open Test Reporting XML file generation can leak Git credentials. This issue affects JUnit versions 5.12.0 to 5.13.1. The vulnerability arises when a repository is cloned using a GitHub token or other credentials in the URL. The 'OpenTestReportGeneratingListener' captures these credentials and includes them in the XML report. If the report is published or stored publicly, an attacker could steal the token and impersonate the user or application, depending on the token's access level.

Impact

Exposed Git credentials in the Open Test Reporting XML can lead to unauthorized actions by impersonating the user or application, especially if the accessed token has elevated permissions.

Reproduction

To reproduce this vulnerability, clone a GitHub repository using a URL that includes a GitHub token. Then, run JUnit tests with the 'Open Test Report' listener enabled. The resulting report will contain the Git credentials, including the token.

Remediation

Update to JUnit version 5.13.2 or later, which obfuscates Git credentials in the XML report. The Git metadata inclusion can be controlled with the 'junit.platform.reporting.open.xml.git.enabled' configuration parameter.