Allure Report Generator Arbitrary File Read Vulnerability via Path Traversal

A path traversal vulnerability allowing arbitrary file read has been identified in the Allure report generator, specifically in versions prior to 2.37.0. This issue arises when the generator processes test results, as it improperly validates attachment paths in result files. An attacker can exploit this by crafting a malicious result file that directs to a sensitive file on the host system. During the report generation process, Allure resolves these paths and includes the sensitive files in the final report.

Impact

Exploitation of this vulnerability allows for arbitrary file read, with the potential to exfiltrate sensitive data such as server secrets, cloud credentials, or environment configuration files in CI/CD environments. This vulnerability could also impact custom Allure web services that process uploaded results, except for Allure TestOps.

Reproduction

To reproduce this vulnerability, create a directory named 'allure-results' and place a file named 'malicious-result.json' inside it. This file should be crafted to include a path traversal payload that points to a sensitive file, such as '/etc/passwd'. After placing the file, run the Allure command to generate the report. The contents of the targeted file will be extracted and included in the generated report's attachments.

Remediation

Users are advised to update to Allure version 2.38.0 or later, where this vulnerability has been fixed.