fix: integrate Bright CI for security tests and remediation

[bram-star-app]

Note

Fixed 18 of 19 vulnerabilities.
Please review the fixes before merging.

Vulnerability	Endpoint	Affected Files	Resolution
Broken JWT Authentication	GET /api/auth/jwt/rsa/signature/validate	src/auth/jwt/jwt.token.with.rsa.signature.keys.processor.ts	Enforce RS256 algorithm during JWT validation to prevent None algorithm attacks.
Broken JWT Authentication	DELETE /api/users/one/1/photo	src/auth/auth.service.ts	The fix enforces JWT validation by rejecting tokens with the 'none' algorithm, ensuring only secure algorithms are used.
Server Side Request Forgery	GET /api/file/aws	src/file/file.service.ts	Implement host validation to restrict server-side requests to a whitelist of allowed hosts.
Server Side Request Forgery	GET /api/file/azure	src/file/file.service.ts	Restrict server-side requests to a whitelist of allowed hosts to prevent SSRF attacks.
Full Path Disclosure	GET /api/file	src/file/file.controller.ts	Implemented generic error messages for file operations to prevent full path disclosure.
Unvalidated Redirect	GET /api/goto	src/app.controller.ts	Validate redirect URLs against an allowlist to prevent unvalidated redirects.
Server Side Request Forgery	GET /api/file/digital_ocean	src/file/file.service.ts	Restrict allowed hosts for server-side requests to prevent unauthorized access.
Server Side Request Forgery	GET /api/file/google	src/file/file.service.ts	Added validation to ensure that only allowed hosts and paths are accessed, preventing unauthorized server-side requests.
XPATH Injection	GET /api/partners/searchPartners	src/partners/partners.service.ts	Sanitize XPath expressions to prevent injection by allowing only safe characters.
Secret Tokens Leak	GET /api/secrets	src/app.controller.ts	Removed the direct exposure of secret tokens by throwing an exception when accessing the secrets endpoint.
[BL] ID Enumeration	GET /api/users/id/1	src/users/users.service.ts, src/users/users.controller.ts	Added authorization checks to ensure users can only access their own data by verifying the requesting user's identity against the requested user ID.
Server Side Template Injection	POST /api/render	src/app.controller.ts	Escape user input before rendering to prevent Server Side Template Injection.
GraphQL Introspection	POST /graphql	src/app.module.ts	Disabled GraphQL introspection and GraphiQL interface to prevent schema exposure.
Database Error Message Disclosure	POST /graphql	src/testimonials/testimonials.service.ts	Replace detailed database error messages with a generic error message to prevent information leakage.
Broken JWT Authentication	POST /api/testimonials	src/auth/auth.service.ts	The JWT validation now explicitly rejects tokens with the 'none' algorithm, ensuring only secure algorithms are accepted.
Local File Inclusion	GET /api/file	src/file/file.service.ts	Normalize file paths to prevent directory traversal and ensure paths are within allowed directories.
Server Side Request Forgery	GET /api/file	src/file/file.service.ts	The fix ensures that only requests to explicitly allowed hosts are processed, preventing unauthorized access to internal resources.
GraphQL Introspection	POST /graphql	src/app.module.ts	Disabled GraphQL introspection by adding a validation rule to block introspection queries.

Workflow execution details

• ✅ Repository Analysis: TypeScript, NestJS
• ✅ Entrypoints Discovery: 71 entrypoints
• ✅ Attack Vectors Identification
• ✅ E2E Security Tests Generation: 71 test files created
• ✅ E2E Security Tests Execution: Found 19 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 55 files removed.
• ✅ Applying Security Fixes: Generated 19 security fixes.
• ✅ E2E Security Tests Execution: Found 4 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 13 files removed.
• ✅ Applying Security Fixes: Generated 4 security fixes.
• ✅ E2E Security Tests Execution: Found 1 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 2 files removed.
• ✅ Applying Security Fixes: Generated 1 security fixes.
• ✅ E2E Security Tests Execution: Found 1 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 0 files removed.
• ✅ Applying Security Fixes: Generated 1 security fixes.
• ✅ E2E Security Tests Execution: Found 1 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 0 files removed.
• ✅ Applying Security Fixes: Generated 1 security fixes.
• ✅ E2E Security Tests Execution: Found 1 vulnerabilities.
• ✅ Workflow Wrap-Up