fix: integrate Bright CI for security tests and remediation

[bram-star-app]

Note

Fixed 16 of 17 vulnerabilities.
Please review the fixes before merging.

Vulnerability	Endpoint	Affected Files	Resolution
Full Path Disclosure	GET /api/auth/jwt/kid-sql/validate	src/auth/auth.guard.ts	Removed full path disclosure from error messages in AuthGuard.
Server Side Request Forgery	GET /api/file/aws	src/file/file.service.ts	Restrict server-side requests to a whitelist of allowed hosts to prevent SSRF attacks.
Server Side Request Forgery	GET /api/file/azure	src/file/file.service.ts	The fix involves enhancing the host validation logic to prevent access to private network addresses and IP addresses, mitigating the SSRF vulnerability.
Full Path Disclosure	DELETE /api/file	src/file/file.controller.ts, src/file/file.service.ts	Ensure error messages do not expose file paths by logging detailed errors and returning generic messages to the client.
Unvalidated Redirect	GET /api/goto	src/app.controller.ts	Implemented URL validation with an allowlist to prevent unvalidated redirects.
Server Side Request Forgery	GET /api/file/digital_ocean	src/file/file.service.ts	Added hostname validation to restrict access to private network addresses and IPs, preventing SSRF attacks.
XPATH Injection	GET /api/partners/searchPartners	src/partners/partners.controller.ts, src/partners/partners.service.ts	Sanitize and validate user input for XPath queries to prevent injection attacks.
[BL] ID Enumeration	GET /api/users/id/1	src/users/users.controller.ts	Added authorization checks to ensure users can only access their own data by verifying the email from the JWT token.
Server Side Template Injection	POST /api/render	src/app.controller.ts	Escape user input before rendering templates to prevent Server Side Template Injection.
Broken JWT Authentication	POST /api/testimonials	src/auth/jwt/jwt.token.processor.ts	The JWT parsing logic now rejects tokens with the 'none' algorithm, preventing unauthenticated access.
GraphQL Introspection	POST /graphql	src/app.module.ts	Disabled GraphQL introspection and GraphiQL interface to prevent schema exposure.
SQL Injection	POST /graphql	src/products/products.resolver.ts, src/products/products.service.ts	Replaced dynamic SQL query construction with parameterized queries to prevent SQL injection.
Secret Tokens Leak	GET /api/config	src/app.service.ts	Sensitive information in the configuration response is now redacted to prevent leaks.
Broken JWT Authentication	GET /api/auth/jwt/rsa/signature/validate	src/auth/jwt/jwt.token.with.rsa.signature.keys.processor.ts	The fix ensures that JWT tokens using the 'none' algorithm are rejected by checking the algorithm in the token header before validation.
GraphQL Introspection	POST /graphql	src/app.module.ts	Disabled GraphQL introspection by adding a validation rule to block introspection queries.
Server Side Request Forgery	GET /api/file/google	src/file/file.service.ts	Restrict server-side requests to only trusted external hosts by maintaining a whitelist and blocking private network addresses.

Workflow execution details

• ✅ Repository Analysis: TypeScript, NestJS
• ✅ Entrypoints Discovery: 70 entrypoints
• ✅ Attack Vectors Identification
• ✅ E2E Security Tests Generation: 70 test files created
• ✅ E2E Security Tests Execution: Found 17 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 54 files removed.
• ✅ Applying Security Fixes: Generated 17 security fixes.
• ✅ E2E Security Tests Execution: Found 5 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 11 files removed.
• ✅ Applying Security Fixes: Generated 5 security fixes.
• ✅ E2E Security Tests Execution: Found 2 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 3 files removed.
• ✅ Applying Security Fixes: Generated 2 security fixes.
• ✅ E2E Security Tests Execution: Found 1 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 1 files removed.
• ✅ Applying Security Fixes: Generated 1 security fixes.
• ✅ E2E Security Tests Execution: Found 1 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 0 files removed.
• ✅ Applying Security Fixes: Generated 1 security fixes.
• ✅ E2E Security Tests Execution: Found 1 vulnerabilities.
• ✅ Workflow Wrap-Up