Skip to content

ci: integrate Bright CI pipeline for security testing and remediation #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bram-star-app wants to merge 17 commits into
base: stable
Choose a base branch
from
Open

ci: integrate Bright CI pipeline for security testing and remediation #12

bram-star-app wants to merge 17 commits into from

Conversation

@bram-star-app
Copy link

@bram-star-app bram-star-app bot commented Sep 4, 2025
edited
Loading

Note

Fixed 16 of 19 vulnerabilities.
Please review the fixes before merging.

Vulnerability Endpoint Affected Files Resolution
Full Path Disclosure GET /api/auth/jwt/kid-sql/validate src/auth/auth.guard.ts Removed file path information from error responses to prevent full path disclosure.
Server Side Request Forgery GET /api/file/aws src/file/file.service.ts Implement hostname validation for URLs to prevent unauthorized access to internal resources.
Server Side Request Forgery GET /api/file/digital_ocean src/file/cloud.providers.metadata.ts Restrict server-side requests to only known and trusted cloud provider metadata URLs, preventing unauthorized access.
Server Side Request Forgery GET /api/file/azure src/file/file.service.ts Restrict access to internal IPs by removing '169.254.169.254' from allowed hosts.
Local File Inclusion GET /api/file src/file/file.service.ts Added path validation to prevent directory traversal, ensuring file paths are within a specific directory.
Full Path Disclosure GET /api/file src/file/file.controller.ts Implemented generic error messages for file loading errors to prevent full path disclosure.
XPATH Injection GET /api/partners/searchPartners src/partners/partners.controller.ts, src/partners/partners.service.ts Input validation is added to prevent XPath injection by checking for forbidden patterns and allowing only alphanumeric characters in user inputs.
Secret Tokens Leak GET /api/secrets src/app.controller.ts Refactor the getSecrets method to retrieve secrets from a secure storage or environment variables instead of hardcoding them in the source code.
[BL] ID Enumeration GET /api/users/id/1 src/users/users.controller.ts Added authorization check to ensure users can only access their own data by verifying the email from the JWT matches the requested user ID.
Server Side Template Injection POST /api/render src/app.controller.ts Escape user input before rendering templates to prevent Server Side Template Injection.
Server Side Request Forgery GET /api/file/google src/file/file.service.ts Restrict server-side requests to a whitelist of trusted hosts to prevent SSRF attacks.
Server Side Request Forgery GET /api/file src/file/file.service.ts, src/file/cloud.providers.metadata.ts The fix now blocks access to cloud metadata URLs by throwing an error if such URLs are detected, preventing SSRF exploitation.
Broken JWT Authentication POST /api/testimonials src/auth/auth.service.ts Added a check to disallow JWT tokens with the 'none' algorithm in the AuthService's validateToken method.
GraphQL Introspection POST /graphql src/app.module.ts Disabled GraphiQL UI to prevent introspection queries through the interface.
SQL Injection POST /graphql src/products/products.resolver.ts, src/products/products.service.ts The SQL injection vulnerability is fixed by using parameterized queries in the updateProduct method to prevent direct insertion of user input into SQL statements.
Broken JWT Authentication GET /api/auth/jwt/rsa/signature/validate src/auth/jwt/jwt.token.with.rsa.signature.keys.processor.ts Ensure JWT tokens are not using the 'none' algorithm by checking the header before validation.
Workflow execution details
  • Repository Analysis: TypeScript, NestJS
  • Entrypoints Discovery: 74 entrypoints
  • Attack Vectors Identification
  • E2E Security Tests Generation: 74 test files created
  • E2E Security Tests Execution: Found 19 vulnerabilities.
  • Cleanup Irrelevant Test Files: 57 files removed.
  • Applying Security Fixes: Generated 19 security fixes.
  • E2E Security Tests Execution: Found 9 vulnerabilities.
  • Cleanup Irrelevant Test Files: 8 files removed.
  • Applying Security Fixes: Generated 9 security fixes.
  • E2E Security Tests Execution: Found 4 vulnerabilities.
  • Cleanup Irrelevant Test Files: 5 files removed.
  • Applying Security Fixes: Generated 4 security fixes.
  • E2E Security Tests Execution: Found 3 vulnerabilities.
  • Cleanup Irrelevant Test Files: 1 files removed.
  • Applying Security Fixes: Generated 3 security fixes.
  • E2E Security Tests Execution: Found 3 vulnerabilities.
  • Cleanup Irrelevant Test Files: 0 files removed.
  • Applying Security Fixes: Generated 3 security fixes.
  • Workflow Wrap-Up

@bramkor bramkor force-pushed the bright/18082fd8-35d7-41c4-8115-837b6c70cc7b branch 23 times, most recently from f8d06fe to f3174e5 Compare September 8, 2025 17:15
@bramkor bramkor force-pushed the bright/18082fd8-35d7-41c4-8115-837b6c70cc7b branch 7 times, most recently from c466132 to f3174e5 Compare September 9, 2025 07:51
bram-star-app bot added 10 commits September 9, 2025 07:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant