fix: integrate Bright CI for security tests and remediation

[bram-star-app]

Note

Fixed 14 of 16 vulnerabilities.
Please review the fixes before merging.

Vulnerability	Endpoint	Affected Files	Resolution
Server Side Request Forgery	GET /api/file/aws	src/file/cloud.providers.metadata.ts	Added URL protocol validation to prevent SSRF by ensuring only HTTP/HTTPS protocols are allowed.
Server Side Request Forgery	GET /api/file/azure	src/file/cloud.providers.metadata.ts	Restrict server-side requests to known cloud provider metadata URLs to prevent SSRF attacks.
Server Side Request Forgery	GET /api/file	src/file/cloud.providers.metadata.ts	Restrict URL access to known cloud provider metadata paths and validate paths against allowed paths.
Local File Inclusion	GET /api/file	src/file/file.service.ts	Implemented an allowlist for file paths to restrict access to specific directories, preventing unauthorized file access.
Full Path Disclosure	GET /api/file	src/file/file.controller.ts	Implemented error handling to prevent full path disclosure by returning generic error messages to the client.
Unvalidated Redirect	GET /api/goto	src/app.controller.ts	Validate redirect URLs against an allowlist to prevent unvalidated redirects.
Server Side Request Forgery	GET /api/file/digital_ocean	src/file/cloud.providers.metadata.ts	Added path validation to ensure only allowed paths are accessed in cloud provider metadata requests.
Server Side Request Forgery	GET /api/file/google	src/file/cloud.providers.metadata.ts	Added validation to restrict URL paths to known cloud provider metadata paths, preventing unauthorized access.
Broken JWT Authentication	POST /api/testimonials	src/auth/jwt/jwt.token.processor.ts	Enforce JWT algorithm validation by rejecting tokens with 'none' algorithm.
GraphQL Introspection	POST /graphql	src/app.module.ts	Disabled GraphQL introspection and GraphiQL interface to prevent schema exposure.
SQL Injection	POST /graphql	src/products/products.resolver.ts, src/products/products.service.ts	Replaced dynamic SQL query construction with parameterized queries to prevent SQL injection.
Secret Tokens Leak	GET /api/config	src/app.service.ts	Redact sensitive information in the configuration response to prevent secret token leaks.
XPATH Injection	GET /api/partners/searchPartners	src/partners/partners.service.ts	Sanitize user input by removing potentially dangerous characters and patterns before using it in XPath queries to prevent injection attacks.
Broken JWT Authentication	GET /api/auth/jwt/rsa/signature/validate	src/auth/jwt/jwt.token.with.rsa.signature.keys.processor.ts	Ensure JWT tokens are validated with the correct algorithm by checking the token header for 'none' algorithm and enforcing 'RS256' for decoding.

Workflow execution details

• ✅ Repository Analysis: TypeScript, NestJS
• ✅ Entrypoints Discovery: 66 entrypoints
• ✅ Attack Vectors Identification
• ✅ E2E Security Tests Generation: 66 test files created
• ✅ E2E Security Tests Execution: Found 16 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 53 files removed.
• ✅ Applying Security Fixes: Generated 16 security fixes.
• ✅ E2E Security Tests Execution: Found 5 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 8 files removed.
• ✅ Applying Security Fixes: Generated 5 security fixes.
• ✅ E2E Security Tests Execution: Found 4 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 1 files removed.
• ✅ Applying Security Fixes: Generated 4 security fixes.
• ✅ E2E Security Tests Execution: Found 2 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 2 files removed.
• ✅ Applying Security Fixes: Generated 2 security fixes.
• ✅ E2E Security Tests Execution: Found 2 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 0 files removed.
• ✅ Applying Security Fixes: Generated 2 security fixes.
• ✅ E2E Security Tests Execution: Found 2 vulnerabilities.
• ✅ Workflow Wrap-Up