ci(security): integrate Bright CI pipeline for security tests and remediation

[bright-security-golf]

Note

Fixed 14 of 16 vulnerabilities.
Please review the fixes before merging.

Fix	Vulnerability	Endpoint	Affected Files	Resolution
✅	[Critical] XPATH Injection	GET /api/partners/partnerLogin	src/partners/partners.service.ts, src/partners/partners.controller.ts	Sanitize user inputs for XPath queries to prevent injection attacks by replacing single quotes with XML-safe entities.
✅	[Critical] SQL Injection	POST /graphql	src/products/products.resolver.ts, src/products/products.service.ts	Replaced dynamic SQL query with a parameterized query using MikroORM's query builder to prevent SQL injection.
✅	[Critical] Server Side Template Injection	POST /api/render	src/app.controller.ts	Sanitize user input before rendering templates to prevent code injection.
✅	[Critical] XPATH Injection	GET /api/partners/searchPartners	src/partners/partners.service.ts	Sanitize and validate XPath input to prevent injection attacks.
✅	[High] Server Side Request Forgery	GET /api/file/google	src/file/file.controller.ts	Added validation to ensure the 'path' parameter starts with the expected base URL for each cloud provider, preventing SSRF attacks.
✅	[High] Server Side Request Forgery	GET /api/file/aws	src/file/file.service.ts	Added hostname validation to restrict server-side requests to a whitelist of allowed hosts.
✅	[High] [BL] ID Enumeration	GET /api/users/id/1	src/users/users.controller.ts	Added authorization check to ensure users can only access their own information by verifying the requester's identity against the requested user ID.
✅	[High] Server Side Request Forgery	GET /api/file/digital_ocean	src/file/file.controller.ts, src/file/cloud.providers.metadata.ts	Added validation to ensure only predefined cloud provider URLs are accepted, preventing SSRF attacks.
✅	[High] Server Side Request Forgery	GET /api/file/azure	src/file/file.service.ts	Restrict server-side requests to a whitelist of allowed hosts to prevent SSRF attacks.
✅	[Medium] Secret Tokens Leak	GET /api/secrets	src/app.controller.ts	Replaced hardcoded secret tokens with environment variables to prevent leaks.
✅	[Medium] Database Error Message Disclosure	GET /api/testimonials/count	src/testimonials/testimonials.service.ts	Replace detailed error messages with a generic error response to prevent information leakage.
✅	[Medium] GraphQL Introspection	POST /graphql	src/main.ts	Disabled GraphQL introspection by setting the introspection option to false in the GraphQLModule configuration.
✅	[Medium] GraphQL Introspection	GET /graphql	src/app.module.ts	Add a custom validation rule to block introspection queries by checking for fields starting with '__'.
❌	[Medium] [BL] Business Constraint Bypass	GET /api/products/latest	src/products/products.controller.ts, src/products/products.service.ts	Attempted fix: Ensure the limit is validated in both the controller and service layers, and throw an error if the limit is zero or negative.
✅	[Medium] GraphQL Introspection	POST /graphql	src/app.module.ts	Added validation rules to block introspection queries directly in the GraphQL configuration.

Workflow execution details

• ✅ Repository Analysis: TypeScript, NestJS
• ✅ Entrypoints Discovery: 65 entrypoints found
• ✅ Attack Vectors Identification
• ✅ E2E Security Tests Generation
• ✅ E2E Security Tests Execution: 15 vulnerabilities found
• ✅ Cleanup Irrelevant Test Files: 49 test files removed
• ✅ Applying Security Fixes: 15 fixes applied
• ✅ E2E Security Tests Execution: 3 vulnerabilities found
• ✅ Cleanup Irrelevant Test Files: 11 test files removed
• ✅ Applying Security Fixes: 3 fixes applied
• ✅ E2E Security Tests Execution: 3 vulnerabilities found
• ✅ Cleanup Irrelevant Test Files: 0 test files removed
• ✅ Applying Security Fixes: 3 fixes applied
• ✅ E2E Security Tests Execution: 3 vulnerabilities found
• ✅ Cleanup Irrelevant Test Files: 0 test files removed
• ✅ Applying Security Fixes: 3 fixes applied
• ✅ E2E Security Tests Execution: 3 vulnerabilities found
• ✅ Cleanup Irrelevant Test Files: 0 test files removed
• ✅ Applying Security Fixes: 3 fixes applied
• ✅ E2E Security Tests Execution: 1 vulnerabilities found
• ✅ Cleanup Irrelevant Test Files: 4 test files removed
• ⏭️ Applying Security Fixes: Skipped
• ⏭️ Workflow Wrap-Up: Skipped