fix: integrate Bright CI for security tests and remediation

[bram-star-app]

Tip

Security analysis and remediation are in progress...

• ✅ Repository Analysis: TypeScript, NestJS
• ✅ Entrypoints Discovery: 71 entrypoints
• ✅ Attack Vectors Identification
• ✅ E2E Security Tests Generation: 71 test files created
• ✅ E2E Security Tests Execution: Found 17 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 55 files removed.
• ✅ Applying Security Fixes: Generated 17 security fixes.
• 🔄 E2E Security Tests Execution: In progress…
• ⏳ Workflow Wrap-Up

Proposed 17 security fixes:

Vulnerability	Endpoint	Affected Files	Resolution
Broken JWT Authentication	DELETE /api/users/one/1/photo	src/users/users.controller.ts, src/users/users.service.ts	Enforce JWT algorithm verification by using a specific algorithm (e.g., RS256) instead of allowing 'none'.
Full Path Disclosure	GET /api/auth/jwt/kid-sql/validate	src/components/global-exception.filter.ts	Implement a global exception filter to log detailed errors internally while returning generic error messages to the client, preventing full path disclosure.
Broken JWT Authentication	GET /api/auth/jwt/rsa/signature/validate	src/auth/auth.service.ts	Ensure JWT tokens are validated using the correct algorithm by checking the processor type before validation.
Server Side Request Forgery	GET /api/file/azure	src/file/cloud.providers.metadata.ts	Validate URL protocol and restrict access to internal metadata endpoints to prevent SSRF.
Server Side Request Forgery	GET /api/file/aws	src/file/file.service.ts	Added URL validation to ensure only known cloud provider metadata URLs are processed, preventing SSRF attacks.
Unvalidated Redirect	GET /api/goto	src/app.controller.ts	Validate redirect URLs against an allowlist to prevent unvalidated redirects.
Server Side Request Forgery	GET /api/file/digital_ocean	src/file/file.service.ts	Added hostname validation to ensure URLs match expected cloud provider metadata endpoints.
Server Side Request Forgery	GET /api/file/google	src/file/file.service.ts	Add URL validation to ensure only known cloud provider metadata URLs are accessed, preventing SSRF attacks.
XPATH Injection	GET /api/partners/searchPartners	src/partners/partners.controller.ts, src/partners/partners.service.ts	Added input validation to prevent XPath injection by checking for forbidden patterns in user input before processing XPath queries.
[BL] Business Constraint Bypass	GET /api/products/latest	src/products/products.controller.ts	Limit the number of products returned by the 'getLatestProducts' endpoint to a maximum of 10 to prevent business constraint bypass.
[BL] ID Enumeration	GET /api/users/id/1	src/users/users.controller.ts	Added authorization check to ensure users can only access their own information by verifying the email from the JWT token.
Server Side Template Injection	POST /api/render	src/app.controller.ts	Escaped user input in the renderTemplate method to prevent Server Side Template Injection.
Broken JWT Authentication	POST /api/testimonials	src/auth/jwt/jwt.token.processor.ts	The JWT parsing logic now rejects tokens with the 'none' algorithm to prevent bypassing authentication.
XML External Entity (XXE)	POST /api/metadata	src/app.controller.ts	The XML parser configuration is updated to disable external entity expansion and DTD validation, mitigating the XXE vulnerability.
GraphQL Introspection	POST /graphql	src/app.module.ts	Disabled GraphQL introspection and GraphiQL interface to prevent schema exposure.
SQL Injection	POST /graphql	src/products/products.resolver.ts, src/products/products.service.ts	Replaced dynamic SQL query construction with parameterized queries to prevent SQL injection.
GraphQL Introspection	POST /graphql	src/main.ts	Disable GraphQL introspection in production by setting the appropriate configuration in the main application bootstrap file.

Last updated: 2025-08-25 16:11:49.709