ci: integrate Bright CI for security testing and remediation [157 eps, 9 vulns, startup error after fixes]

.brightsec/tests/get-rest-products-search.test.ts

@@ -0,0 +1,36 @@
+import { test, before, after } from 'node:test';
+import { SecRunner } from '@sectester/runner';
+import { AttackParamLocation, HttpMethod } from '@sectester/scan';
+
+const timeout = 40 * 60 * 1000;
+const baseUrl = process.env.BRIGHT_TARGET_URL!;
+
+let runner!: SecRunner;
+
+before(async () => {
+  runner = new SecRunner({
+    hostname: process.env.BRIGHT_HOSTNAME!,
+    projectId: process.env.BRIGHT_PROJECT_ID!
+  });
+
+  await runner.init();
+});
+
+after(() => runner.clear());
+
+test('GET /rest/products/search?q=:query', { signal: AbortSignal.timeout(timeout) }, async () => {
+  await runner
+    .createScan({
+      tests: ['sqli'],
+      attackParamLocations: [AttackParamLocation.QUERY],
+      starMetadata: { databases: ['SQLite'] }
+    })
+    .setFailFast(false)
+    .timeout(timeout)
+    .run({
+      method: HttpMethod.GET,
+      url: `${baseUrl}/rest/products/search?q=apple`,
+      headers: { 'X-Recruiting': 'undefined' },
+      auth: process.env.BRIGHT_AUTH_ID
+    });
+});

.brightsec/tests/patch-rest-products-reviews.test.ts

@@ -0,0 +1,40 @@
+import { test, before, after } from 'node:test';
+import { SecRunner } from '@sectester/runner';
+import { AttackParamLocation, HttpMethod } from '@sectester/scan';
+
+const timeout = 40 * 60 * 1000;
+const baseUrl = process.env.BRIGHT_TARGET_URL!;
+
+let runner!: SecRunner;
+
+before(async () => {
+  runner = new SecRunner({
+    hostname: process.env.BRIGHT_HOSTNAME!,
+    projectId: process.env.BRIGHT_PROJECT_ID!
+  });
+
+  await runner.init();
+});
+
+after(() => runner.clear());
+
+test('PATCH /rest/products/reviews', { signal: AbortSignal.timeout(timeout) }, async () => {
+  await runner
+    .createScan({
+      tests: ['nosql'],
+      attackParamLocations: [AttackParamLocation.BODY],
+      starMetadata: { databases: ['SQLite'] }
+    })
+    .setFailFast(false)
+    .timeout(timeout)
+    .run({
+      method: HttpMethod.PATCH,
+      url: `${baseUrl}/rest/products/reviews`,
+      body: {
+        id: '60c72b2f9b1d8e001c8e4b8a',
+        message: 'Updated review message'
+      },
+      headers: { 'Content-Type': 'application/json' },
+      auth: process.env.BRIGHT_AUTH_ID
+    });
+});

.brightsec/tests/post-api-addresss.test.ts

@@ -0,0 +1,37 @@
+import { test, before, after } from 'node:test';
+import { SecRunner } from '@sectester/runner';
+import { AttackParamLocation, HttpMethod } from '@sectester/scan';
+
+const timeout = 40 * 60 * 1000;
+const baseUrl = process.env.BRIGHT_TARGET_URL!;
+
+let runner!: SecRunner;
+
+before(async () => {
+  runner = new SecRunner({
+    hostname: process.env.BRIGHT_HOSTNAME!,
+    projectId: process.env.BRIGHT_PROJECT_ID!
+  });
+
+  await runner.init();
+});
+
+after(() => runner.clear());
+
+test('POST /api/addresss', { signal: AbortSignal.timeout(timeout) }, async () => {
+  await runner
+    .createScan({
+      tests: ['id_enumeration'],
+      attackParamLocations: [AttackParamLocation.BODY],
+      starMetadata: { databases: ['SQLite'] }
+    })
+    .setFailFast(false)
+    .timeout(timeout)
+    .run({
+      method: HttpMethod.POST,
+      url: `${baseUrl}/api/Addresss`,
+      body: { UserId: 123 },
+      headers: { 'Content-Type': 'application/json' },
+      auth: process.env.BRIGHT_AUTH_ID
+    });
+});

.brightsec/tests/post-api-products.test.ts

@@ -0,0 +1,43 @@
+import { test, before, after } from 'node:test';
+import { SecRunner } from '@sectester/runner';
+import { AttackParamLocation, HttpMethod } from '@sectester/scan';
+
+const timeout = 40 * 60 * 1000;
+const baseUrl = process.env.BRIGHT_TARGET_URL!;
+
+let runner!: SecRunner;
+
+before(async () => {
+  runner = new SecRunner({
+    hostname: process.env.BRIGHT_HOSTNAME!,
+    projectId: process.env.BRIGHT_PROJECT_ID!
+  });
+
+  await runner.init();
+});
+
+after(() => runner.clear());
+
+test('POST /api/products', { signal: AbortSignal.timeout(timeout) }, async () => {
+  await runner
+    .createScan({
+      tests: ['sqli'],
+      attackParamLocations: [AttackParamLocation.BODY],
+      starMetadata: { databases: ['SQLite'] }
+    })
+    .setFailFast(false)
+    .timeout(timeout)
+    .run({
+      method: HttpMethod.POST,
+      url: `${baseUrl}/api/Products`,
+      body: {
+        name: 'Sample Product',
+        description: 'A sample product description.',
+        price: 19.99,
+        deluxePrice: 29.99,
+        image: 'sample-image.png'
+      },
+      headers: { 'Content-Type': 'application/json' },
+      auth: process.env.BRIGHT_AUTH_ID
+    });
+});

.brightsec/tests/post-api-recycles.test.ts

@@ -0,0 +1,44 @@
+import { test, before, after } from 'node:test';
+import { SecRunner } from '@sectester/runner';
+import { AttackParamLocation, HttpMethod } from '@sectester/scan';
+
+const timeout = 40 * 60 * 1000;
+const baseUrl = process.env.BRIGHT_TARGET_URL!;
+
+let runner!: SecRunner;
+
+before(async () => {
+  runner = new SecRunner({
+    hostname: process.env.BRIGHT_HOSTNAME!,
+    projectId: process.env.BRIGHT_PROJECT_ID!
+  });
+
+  await runner.init();
+});
+
+after(() => runner.clear());
+
+test('POST /api/recycles', { signal: AbortSignal.timeout(timeout) }, async () => {
+  await runner
+    .createScan({
+      tests: ['id_enumeration', 'sqli'],
+      attackParamLocations: [AttackParamLocation.BODY],
+      starMetadata: { databases: ['SQLite'] },
+      skipStaticParams: false
+    })
+    .setFailFast(false)
+    .timeout(timeout)
+    .run({
+      method: HttpMethod.POST,
+      url: `${baseUrl}/api/Recycles`,
+      body: {
+        UserId: 1,
+        AddressId: 1,
+        quantity: 10,
+        isPickup: true,
+        date: "2023-10-01T00:00:00Z"
+      },
+      headers: { 'Content-Type': 'application/json' },
+      auth: process.env.BRIGHT_AUTH_ID
+    });
+});

.brightsec/tests/put-api-addresss-1.test.ts

@@ -0,0 +1,47 @@
+import { test, before, after } from 'node:test';
+import { SecRunner } from '@sectester/runner';
+import { AttackParamLocation, HttpMethod } from '@sectester/scan';
+
+const timeout = 40 * 60 * 1000;
+const baseUrl = process.env.BRIGHT_TARGET_URL!;
+
+let runner!: SecRunner;
+
+before(async () => {
+  runner = new SecRunner({
+    hostname: process.env.BRIGHT_HOSTNAME!,
+    projectId: process.env.BRIGHT_PROJECT_ID!
+  });
+
+  await runner.init();
+});
+
+after(() => runner.clear());
+
+test('PUT /api/addresss/1', { signal: AbortSignal.timeout(timeout) }, async () => {
+  await runner
+    .createScan({
+      tests: ['id_enumeration'],
+      attackParamLocations: [AttackParamLocation.BODY],
+      starMetadata: { databases: ['SQLite'] },
+      skipStaticParams: false
+    })
+    .setFailFast(false)
+    .timeout(timeout)
+    .run({
+      method: HttpMethod.PUT,
+      url: `${baseUrl}/api/Addresss/1`,
+      body: {
+        UserId: 1,
+        fullName: 'John Doe',
+        mobileNum: 1234567890,
+        zipCode: '12345',
+        streetAddress: '123 Main St',
+        city: 'Metropolis',
+        state: 'NY',
+        country: 'USA'
+      },
+      headers: { 'Content-Type': 'application/json' },
+      auth: process.env.BRIGHT_AUTH_ID
+    });
+});

.github/workflows/bright.yml

@@ -0,0 +1,52 @@
+name: Bright
+
+on:
+  pull_request:
+    branches:
+      - '*'
+
+permissions:
+  checks: write
+  contents: read
+  id-token: write
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js 20.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+
+      - name: Install application dependencies
+        run: |
+          npm install
+
+      - name: Start application
+        run: |
+          npm start &
+          until nc -zv 127.0.0.1 3000; do sleep 1; done
+
+      - name: Set up Node.js 22.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22.x
+
+      - name: Install SecTesterJS dependencies
+        run: |
+          npm i --save=false --prefix .brightsec @sectester/core @sectester/repeater @sectester/scan @sectester/runner @sectester/reporter
+
+      - name: Run security tests
+        env:
+          BRIGHT_HOSTNAME: ${{ vars.BRIGHT_HOSTNAME }}
+          BRIGHT_PROJECT_ID: ${{ vars.BRIGHT_PROJECT_ID }}
+          BRIGHT_AUTH_ID: ${{ vars.BRIGHT_AUTH_ID }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRIGHT_TOKEN: ${{ secrets.BRIGHT_TOKEN }}
+          BRIGHT_TARGET_URL: http://127.0.0.1:3000
+        run: |
+          node --experimental-transform-types --experimental-strip-types --experimental-detect-module --disable-warning=MODULE_TYPELESS_PACKAGE_JSON --disable-warning=ExperimentalWarning --test-force-exit --test-concurrency=4 --test .brightsec/tests/*.test.ts

.github/workflows/ci.yml

@@ -1,22 +1,25 @@
 name: "CI/CD Pipeline"
 on:
-  push:
-    branches-ignore:
-      - l10n_develop
-      - gh-pages
-    paths-ignore:
-      - '*.md'
-      - 'LICENSE'
-      - 'monitoring/grafana-dashboard.json'
-      - 'screenshots/**'
-    tags-ignore:
-      - '*'
-  pull_request:
-    paths-ignore:
-      - '*.md'
-      - 'LICENSE'
-      - 'data/static/i18n/*.json'
-      - 'frontend/src/assets/i18n/*.json'
+  workflow_dispatch:
+# on:
+#   push:
+#     branches-ignore:
+#       - l10n_develop
+#       - gh-pages
+#     paths-ignore:
+#       - '*.md'
+#       - 'LICENSE'
+#       - 'monitoring/grafana-dashboard.json'
+#       - 'screenshots/**'
+#     tags-ignore:
+#       - '*'
+#   pull_request:
+#     paths-ignore:
+#       - '*.md'
+#       - 'LICENSE'
+#       - 'data/static/i18n/*.json'
+#       - 'frontend/src/assets/i18n/*.json'
+
 env:
   NODE_DEFAULT_VERSION: 22
   NODE_OPTIONS: "--max_old_space_size=4096"
@@ -40,18 +43,8 @@ jobs:
         run: npm run lint
       - name: "Lint customization configs"
         run: >
-          npm run lint:config -- -f ./config/7ms.yml &&
-          npm run lint:config -- -f ./config/addo.yml &&
-          npm run lint:config -- -f ./config/bodgeit.yml &&
-          npm run lint:config -- -f ./config/ctf.yml &&
-          npm run lint:config -- -f ./config/default.yml &&
-          npm run lint:config -- -f ./config/fbctf.yml &&
-          npm run lint:config -- -f ./config/juicebox.yml &&
-          npm run lint:config -- -f ./config/mozilla.yml &&
-          npm run lint:config -- -f ./config/oss.yml &&
-          npm run lint:config -- -f ./config/quiet.yml &&
-          npm run lint:config -- -f ./config/tutorial.yml &&
-          npm run lint:config -- -f ./config/unsafe.yml
+          npm run lint:config -- -f ./config/7ms.yml && npm run lint:config -- -f ./config/addo.yml && npm run lint:config -- -f ./config/bodgeit.yml && npm run lint:config -- -f ./config/ctf.yml && npm run lint:config -- -f ./config/default.yml && npm run lint:config -- -f ./config/fbctf.yml && npm run lint:config -- -f ./config/juicebox.yml && npm run lint:config -- -f ./config/mozilla.yml && npm run lint:config -- -f ./config/oss.yml && npm run lint:config -- -f ./config/quiet.yml && npm run lint:config -- -f ./config/tutorial.yml && npm run lint:config -- -f ./config/unsafe.yml
+
   coding-challenge-rsn:
     runs-on: windows-latest
     steps:
@@ -184,17 +177,8 @@ jobs:
           timeout_minutes: 30
           max_attempts: 3
           command: >
-            NODE_ENV=7ms npm run test:server &&
-            NODE_ENV=addo npm run test:server &&
-            NODE_ENV=bodgeit npm run test:server &&
-            NODE_ENV=ctf npm run test:server &&
-            NODE_ENV=fbctf npm run test:server &&
-            NODE_ENV=juicebox npm run test:server &&
-            NODE_ENV=mozilla npm run test:server &&
-            NODE_ENV=oss npm run test:server &&
-            NODE_ENV=quiet npm run test:server &&
-            NODE_ENV=tutorial npm run test:server &&
-            NODE_ENV=unsafe npm run test:server
+            NODE_ENV=7ms npm run test:server && NODE_ENV=addo npm run test:server && NODE_ENV=bodgeit npm run test:server && NODE_ENV=ctf npm run test:server && NODE_ENV=fbctf npm run test:server && NODE_ENV=juicebox npm run test:server && NODE_ENV=mozilla npm run test:server && NODE_ENV=oss npm run test:server && NODE_ENV=quiet npm run test:server && NODE_ENV=tutorial npm run test:server && NODE_ENV=unsafe npm run test:server
+
   e2e:
     runs-on: ${{ matrix.os }}
     strategy: