ci: integrate Bright CI pipeline for security testing and remediation

[bram-star-app]

Tip

Security analysis and remediation are in progress...

• ✅ Repository Analysis: TypeScript, NestJS
• ✅ Entrypoints Discovery: 56 entrypoints
• ✅ Attack Vectors Identification
• ✅ E2E Security Tests Generation: 56 test files created
• ✅ E2E Security Tests Execution: Found 17 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 40 files removed.
• ✅ Applying Security Fixes: Generated 17 security fixes.
• ✅ E2E Security Tests Execution: Found 4 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 10 files removed.
• ✅ Applying Security Fixes: Generated 4 security fixes.
• ✅ E2E Security Tests Execution: Found 4 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 0 files removed.
• ✅ Applying Security Fixes: Generated 4 security fixes.
• ✅ E2E Security Tests Execution: Found 4 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 0 files removed.
• ✅ Applying Security Fixes: Generated 4 security fixes.
• ✅ E2E Security Tests Execution: Found 4 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 0 files removed.
• 🔄 Applying Security Fixes: In progress…
• ⏳ Workflow Wrap-Up

Proposed 17 security fixes:

Vulnerability	Endpoint	Affected Files	Resolution
Server Side Request Forgery	GET /api/file/aws	src/file/cloud.providers.metadata.ts	Added URL validation to ensure only requests to known metadata service hosts are allowed, preventing SSRF attacks.
Server Side Request Forgery	GET /api/file/azure	src/file/cloud.providers.metadata.ts	Added validation to ensure URLs are from trusted cloud metadata sources before making requests.
Server Side Request Forgery	GET /api/file	src/file/cloud.providers.metadata.ts	Added validation to ensure only requests to known cloud provider metadata URLs are allowed, preventing SSRF attacks.
Local File Inclusion	GET /api/file	src/file/file.service.ts	Implemented path validation to restrict file access to a specific directory, preventing unauthorized file inclusion.
Full Path Disclosure	GET /api/file	src/file/file.controller.ts	Replaced detailed error messages with generic ones to prevent full path disclosure.
Server Side Request Forgery	GET /api/file/google	src/file/file.service.ts	Added URL validation to ensure only specific hostnames and protocols are allowed, preventing SSRF attacks.
Server Side Request Forgery	GET /api/file/digital_ocean	src/file/file.service.ts	Implement URL validation to restrict access to only specific hostnames and protocols, preventing unauthorized requests.
XPATH Injection	GET /api/partners/searchPartners	src/partners/partners.service.ts	Sanitize user input used in XPath queries to prevent injection attacks by escaping special characters.
XPATH Injection	GET /api/partners/partnerLogin	src/partners/partners.controller.ts, src/partners/partners.service.ts	Escaped user inputs in XPath queries to prevent injection attacks by replacing single quotes with double single quotes.
Secret Tokens Leak	GET /api/secrets	src/app.controller.ts	Secret tokens are now retrieved from environment variables instead of being hardcoded in the source code.
Server Side Template Injection	POST /api/render	src/app.controller.ts	Escaped user input in the renderTemplate method to prevent Server Side Template Injection.
GraphQL Introspection	POST /graphql	src/main.ts	Disable GraphQL introspection by setting the introspection option to false in the GraphQL server configuration.
SQL Injection	POST /graphql	src/products/products.resolver.ts, src/products/products.service.ts	Replaced dynamic SQL query construction with parameterized queries to prevent SQL injection.
GraphQL Introspection	POST /graphql	src/main.ts	Disable GraphQL introspection in production by setting the appropriate configuration in the main application bootstrap file.
GraphQL Introspection	POST /graphql	src/app.module.ts	Disabled GraphQL introspection in the server configuration to prevent schema exposure.
[BL] Business Constraint Bypass	GET /api/products/latest	src/products/products.controller.ts, src/products/products.service.ts	Enforced a maximum limit on the number of products returned in the getLatestProducts method to prevent business constraint bypass.
Unvalidated Redirect	GET /api/goto	src/app.controller.ts	Implemented URL validation by checking against an allowlist of domains to prevent unvalidated redirects.

Last updated: 2025-09-03 11:36:33.051