ci: integrate Bright CI pipeline for security testing and remediation

[bram-star-app]

Note

Fixed 17 of 19 vulnerabilities.
Please review the fixes before merging.

Vulnerability	Endpoint	Affected Files	Resolution
Server Side Request Forgery	GET /api/file/azure	src/file/cloud.providers.metadata.ts	Validate URL protocol to prevent SSRF by ensuring only HTTP/HTTPS protocols are allowed.
Server Side Request Forgery	GET /api/file/aws	src/file/cloud.providers.metadata.ts	Added URL validation to ensure only requests to known cloud provider metadata URLs are allowed, preventing SSRF attacks.
Server Side Request Forgery	GET /api/file/digital_ocean	src/file/cloud.providers.metadata.ts	Added path validation to ensure requests are within allowed metadata paths, preventing unauthorized access.
Server Side Request Forgery	GET /api/file/google	src/file/cloud.providers.metadata.ts	Implement URL validation and path restriction to prevent unauthorized access to internal resources.
Server Side Request Forgery	GET /api/file	src/file/cloud.providers.metadata.ts	Added validation to ensure URLs are only fetched if they match known cloud provider metadata URLs and paths.
Full Path Disclosure	GET /api/file	src/file/file.controller.ts, src/file/file.service.ts	Implemented error handling to prevent full path disclosure by returning generic error messages to the client while logging detailed errors on the server.
XPATH Injection	GET /api/partners/searchPartners	src/partners/partners.service.ts	Sanitize and validate XPath expressions to prevent injection attacks.
Secret Tokens Leak	GET /api/secrets	src/app.controller.ts	Replaced hardcoded secret tokens with environment variables to prevent leaks.
[BL] ID Enumeration	GET /api/users/id/1	src/users/users.controller.ts	Added authorization check to ensure users can only access their own data by verifying the email from the JWT token.
Broken JWT Authentication	POST /api/testimonials	src/auth/jwt/jwt.token.processor.ts	The JWT parsing logic now throws an error if the 'none' algorithm is used, preventing insecure JWTs.
SQL Injection	POST /graphql	src/products/products.resolver.ts, src/products/products.service.ts	Replaced dynamic SQL query construction with parameterized queries to prevent SQL injection.
GraphQL Introspection	POST /graphql	src/app.module.ts	Disabled GraphQL introspection in the server configuration to prevent schema exposure.
Secret Tokens Leak	GET /api/config	src/app.service.ts	Sensitive information such as database credentials and API keys are now masked before being returned in the response.
Local File Inclusion	GET /api/file	src/file/file.controller.ts, src/file/file.service.ts	Implemented stricter path validation by rejecting paths starting with '/' to prevent absolute path access.
Unvalidated Redirect	GET /api/goto	src/app.controller.ts	The redirect method now validates the URL against an allowlist of hosts and returns a properly formatted URL object to prevent unvalidated redirects.
GraphQL Introspection	POST /graphql	src/app.module.ts	Disabled GraphQL introspection by adding a validation rule to block introspection queries.
Server Side Template Injection	POST /api/render	src/app.controller.ts	The fix involves disabling all template evaluation features in the dot template engine to prevent code execution.

Workflow execution details

• ✅ Repository Analysis: TypeScript, NestJS
• ✅ Entrypoints Discovery: 68 entrypoints
• ✅ Attack Vectors Identification
• ✅ E2E Security Tests Generation: 68 test files created
• ✅ E2E Security Tests Execution: Found 19 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 52 files removed.
• ✅ Applying Security Fixes: Generated 19 security fixes.
• ✅ E2E Security Tests Execution: Found 7 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 9 files removed.
• ✅ Applying Security Fixes: Generated 7 security fixes.
• ✅ E2E Security Tests Execution: Found 5 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 2 files removed.
• ✅ Applying Security Fixes: Generated 5 security fixes.
• ✅ E2E Security Tests Execution: Found 3 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 2 files removed.
• ✅ Applying Security Fixes: Generated 3 security fixes.
• ✅ E2E Security Tests Execution: Found 2 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 1 files removed.
• ✅ Applying Security Fixes: Generated 2 security fixes.
• ✅ Workflow Wrap-Up