Skip to content

ci: integrate Bright CI pipeline for security testing and remediation #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bram-star-app wants to merge 7 commits into
base: stable
Choose a base branch
from
Open

ci: integrate Bright CI pipeline for security testing and remediation #8

bram-star-app wants to merge 7 commits into from

Conversation

@bram-star-app
Copy link

@bram-star-app bram-star-app bot commented Sep 3, 2025
edited
Loading

Note

Fixed 18 of 19 vulnerabilities.
Please review the fixes before merging.

Vulnerability Endpoint Affected Files Resolution
Full Path Disclosure GET /api/auth/jwt/kid-sql/validate src/auth/auth.guard.ts Removed full path disclosure from error responses in the AuthGuard to prevent exposure of sensitive information.
Server Side Request Forgery GET /api/file/aws src/file/file.service.ts Added hostname validation to restrict server-side requests to a whitelist of allowed hosts, preventing unauthorized access.
Server Side Request Forgery GET /api/file/azure src/file/file.service.ts Restrict server-side requests to a whitelist of allowed hosts to prevent unauthorized access.
Server Side Request Forgery GET /api/file/digital_ocean src/file/file.service.ts Restrict server-side requests to a whitelist of allowed hosts to prevent SSRF attacks.
Server Side Request Forgery GET /api/file/google src/file/cloud.providers.metadata.ts Restrict server-side requests to known safe URLs by throwing an error for unrecognized URLs.
Unvalidated Redirect GET /api/goto src/app.controller.ts Validate redirect URLs against an allowlist to prevent unvalidated redirects.
Server Side Request Forgery GET /api/file src/file/file.service.ts Restrict server-side requests to a whitelist of allowed hosts to prevent SSRF attacks.
Local File Inclusion GET /api/file src/file/file.service.ts Added path validation to prevent directory traversal by ensuring file paths are within a specific allowed directory.
Full Path Disclosure GET /api/file src/file/file.controller.ts Implemented generic error messages for file operations to prevent full path disclosure.
Secret Tokens Leak GET /api/secrets src/app.controller.ts Replaced hardcoded secret tokens with environment variables to prevent leaks.
[BL] ID Enumeration GET /api/users/id/1 src/users/users.controller.ts Added authorization check to ensure users can only access their own data by verifying the email from the JWT token.
Server Side Template Injection POST /api/render src/app.controller.ts Escape user input before rendering to prevent Server Side Template Injection.
Broken JWT Authentication POST /api/testimonials src/auth/jwt/jwt.token.processor.ts The fix enforces the rejection of JWTs using the 'none' algorithm, preventing unauthenticated access.
GraphQL Introspection POST /graphql src/main.ts Disabled GraphQL introspection in production environment to prevent schema exposure.
SQL Injection POST /graphql src/products/products.resolver.ts, src/products/products.service.ts Replaced dynamic SQL query construction with parameterized queries to prevent SQL injection.
Broken JWT Authentication GET /api/auth/jwt/rsa/signature/validate src/auth/jwt/jwt.token.with.rsa.signature.keys.processor.ts The fix enforces the use of the RS256 algorithm by checking the JWT header before verification, preventing the use of 'None' or any other algorithm.
XPATH Injection GET /api/partners/searchPartners src/partners/partners.controller.ts, src/partners/partners.service.ts Sanitize user input by escaping single quotes to prevent XPath injection in the searchPartners method.
GraphQL Introspection POST /graphql src/app.module.ts, src/app.resolver.ts Disabled GraphQL introspection and added command validation to prevent unauthorized schema access and command execution.
Workflow execution details
  • Repository Analysis: TypeScript, NestJS
  • Entrypoints Discovery: 76 entrypoints
  • Attack Vectors Identification
  • E2E Security Tests Generation: 76 test files created
  • E2E Security Tests Execution: Found 19 vulnerabilities.
  • Cleanup Irrelevant Test Files: 60 files removed.
  • Applying Security Fixes: Generated 19 security fixes.
  • E2E Security Tests Execution: Found 4 vulnerabilities.
  • Cleanup Irrelevant Test Files: 12 files removed.
  • Applying Security Fixes: Generated 4 security fixes.
  • E2E Security Tests Execution: Found 2 vulnerabilities.
  • Cleanup Irrelevant Test Files: 2 files removed.
  • Applying Security Fixes: Generated 2 security fixes.
  • E2E Security Tests Execution: Found 2 vulnerabilities.
  • Cleanup Irrelevant Test Files: 0 files removed.
  • Applying Security Fixes: Generated 2 security fixes.
  • E2E Security Tests Execution: Found 1 vulnerabilities.
  • Cleanup Irrelevant Test Files: 1 files removed.
  • Applying Security Fixes: Generated 1 security fixes.
  • Workflow Wrap-Up

@bramkor bramkor force-pushed the bright/ac3c87a6-ae93-4c1e-8d00-c9e898769406 branch 17 times, most recently from 4c5eeea to 79a916a Compare September 4, 2025 12:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant