ci: integrate Bright CI pipeline for security testing and remediation

[bram-star-app]

Note

Fixed 16 of 18 vulnerabilities.
Please review the fixes before merging.

Vulnerability	Endpoint	Affected Files	Resolution
Server Side Request Forgery	GET /api/file/aws	src/file/file.service.ts	Added URL validation and host whitelisting to prevent SSRF attacks by ensuring only requests to allowed hosts are processed.
Server Side Request Forgery	GET /api/file/azure	src/file/file.service.ts	Added validation for allowed URL paths to prevent unauthorized access to internal resources.
Server Side Request Forgery	GET /api/file/digital_ocean	src/file/file.service.ts	Restrict server-side requests to a whitelist of allowed hosts and paths to prevent SSRF attacks.
Local File Inclusion	GET /api/file	src/file/file.service.ts	Implemented path validation to ensure file paths are within the allowed directory, preventing unauthorized file access.
Server Side Request Forgery	GET /api/file	src/file/file.service.ts	Implemented URL validation with a whitelist of allowed hosts and paths to prevent unauthorized server-side requests.
Full Path Disclosure	GET /api/file	src/file/file.controller.ts	Implemented generic error messages for file operations to prevent full path disclosure.
Server Side Request Forgery	GET /api/file/google	src/file/cloud.providers.metadata.ts, src/file/file.service.ts	Implemented URL validation to restrict access to only allowed hosts and paths, preventing unauthorized server-side requests.
Unvalidated Redirect	GET /api/goto	src/app.controller.ts	Implemented URL validation with an allowlist to prevent unvalidated redirects.
Secret Tokens Leak	GET /api/secrets	src/app.service.ts, src/app.controller.ts	Secret tokens are now retrieved from environment variables using ConfigService, ensuring they are not hardcoded in the source code.
[BL] ID Enumeration	GET /api/users/id/1	src/users/users.controller.ts	Added authorization check to ensure users can only access their own information by verifying the email from the JWT token.
Server Side Template Injection	POST /api/render	src/app.controller.ts	Escape user input before rendering templates to prevent Server Side Template Injection.
Database Error Message Disclosure	POST /graphql	src/testimonials/testimonials.service.ts	Replaced detailed error messages with a generic error message to prevent information leakage.
GraphQL Introspection	POST /graphql	src/app.module.ts	Disabled GraphQL introspection in the server configuration to prevent schema exposure.
XPATH Injection	GET /api/partners/searchPartners	src/partners/partners.controller.ts, src/partners/partners.service.ts	Escaped single quotes in user input to prevent XPath injection in searchPartners method.
Broken JWT Authentication	POST /api/testimonials	src/auth/auth.service.ts	The fix ensures that JWT tokens with the 'none' algorithm are rejected during validation, preventing unauthorized access.
GraphQL Introspection	POST /graphql	src/app.module.ts	Disabled GraphQL introspection and GraphiQL, and added error formatting to prevent information leakage.

Workflow execution details

• ✅ Repository Analysis: TypeScript, NestJS
• ✅ Entrypoints Discovery: 71 entrypoints
• ✅ Attack Vectors Identification
• ✅ E2E Security Tests Generation: 71 test files created
• ✅ E2E Security Tests Execution: Found 18 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 56 files removed.
• ✅ Applying Security Fixes: Generated 18 security fixes.
• ✅ E2E Security Tests Execution: Found 5 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 10 files removed.
• ✅ Applying Security Fixes: Generated 5 security fixes.
• ✅ E2E Security Tests Execution: Found 2 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 3 files removed.
• ✅ Applying Security Fixes: Generated 2 security fixes.
• ✅ E2E Security Tests Execution: Found 2 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 0 files removed.
• ✅ Applying Security Fixes: Generated 2 security fixes.
• ✅ E2E Security Tests Execution: Found 2 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 0 files removed.
• ✅ Applying Security Fixes: Generated 2 security fixes.
• ✅ Workflow Wrap-Up