ci: integrate Bright CI pipeline for security testing and remediation

[bram-star-app]

Note

Fixed 14 of 19 vulnerabilities.
Please review the fixes before merging.

Vulnerability	Endpoint	Affected Files	Resolution
Server Side Request Forgery	GET /api/file/aws	src/file/file.service.ts	Added URL validation and host whitelisting to prevent SSRF attacks.
Server Side Request Forgery	GET /api/file/azure	src/file/file.service.ts	Added validation to block requests to local network IP addresses, preventing unauthorized access to internal resources.
Server Side Request Forgery	GET /api/file/google	src/file/file.service.ts	Added validation to restrict non-standard ports in URLs to prevent SSRF attacks.
Server Side Request Forgery	GET /api/file/digital_ocean	src/file/cloud.providers.metadata.ts	Restrict server-side requests to only allow specific, pre-defined cloud provider metadata URLs, preventing unauthorized access.
Server Side Request Forgery	GET /api/file	src/file/file.service.ts	Added validation to restrict URL access to a whitelist of allowed hosts and prevent access to local network resources and non-standard ports.
Local File Inclusion	GET /api/file	src/file/file.service.ts	Restrict file access to a specific directory using path validation to prevent Local File Inclusion.
Full Path Disclosure	GET /api/file	src/file/file.service.ts, src/file/file.controller.ts	Implemented generic error messages for file access errors to prevent full path disclosure.
XPATH Injection	GET /api/partners/searchPartners	src/partners/partners.controller.ts, src/partners/partners.service.ts	Sanitize user input before using it in XPath queries to prevent injection attacks.
Secret Tokens Leak	GET /api/secrets	src/app.controller.ts	Replaced hardcoded secret tokens with environment variables to prevent leaks.
[BL] ID Enumeration	GET /api/users/id/1	src/users/users.controller.ts	Added authorization check to ensure users can only access their own data by verifying the requester's identity against the requested user ID.
Server Side Template Injection	POST /api/render	src/app.controller.ts	Escape user input before rendering templates to prevent Server Side Template Injection.
GraphQL Introspection	POST /graphql		Introspection is already disabled in the GraphQL configuration, so no further changes are needed.
SQL Injection	POST /graphql	src/products/products.resolver.ts, src/products/products.service.ts	Replaced dynamic SQL query construction with parameterized queries to prevent SQL injection.
[BL] Prompt Injection	POST /api/chat/query	src/chat/chat.controller.ts	Sanitize user input in ChatController to prevent prompt injection attacks.

Workflow execution details

• ✅ Repository Analysis: TypeScript, NestJS
• ✅ Entrypoints Discovery: 55 entrypoints
• ✅ Attack Vectors Identification
• ✅ E2E Security Tests Generation: 55 test files created
• ✅ E2E Security Tests Execution: Found 19 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 39 files removed.
• ✅ Applying Security Fixes: Generated 19 security fixes.
• ✅ E2E Security Tests Execution: Found 5 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 11 files removed.
• ✅ Applying Security Fixes: Generated 5 security fixes.
• ✅ E2E Security Tests Execution: Found 5 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 0 files removed.
• ✅ Applying Security Fixes: Generated 5 security fixes.
• ✅ E2E Security Tests Execution: Found 5 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 0 files removed.
• ✅ Applying Security Fixes: Generated 5 security fixes.
• ✅ E2E Security Tests Execution: Found 5 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 0 files removed.
• ✅ Applying Security Fixes: Generated 5 security fixes.
• ✅ E2E Security Tests Execution: Found 5 vulnerabilities.
• ✅ Workflow Wrap-Up