fix: enhance security testing for API endpoints with Bright-generated tests

[bararchy]

Note

Fixed 14 of 14 vulnerabilities.
Please review the fixes before merging.

Vulnerability	Endpoint	Affected Files	Resolution
Secret Tokens Leak	GET /api/config	src/app.controller.ts	Removed hardcoded secrets from the endpoint and blocked access to prevent exposure.
Server Side Request Forgery	GET /api/file/aws	src/file/file.controller.ts	Added validation to reject URLs in the 'path' parameter for the AWS file endpoint to prevent SSRF attacks.
Server Side Request Forgery	GET /api/file/azure	src/file/file.controller.ts	Added validation to ensure the 'path' parameter does not contain URLs, preventing SSRF attacks.
Unvalidated Redirect	GET /api/goto	src/app.controller.ts	Implemented URL validation using an allowlist to prevent unvalidated redirects.
XPATH Injection	GET /api/partners/partnerLogin	src/partners/partners.controller.ts	Sanitized user inputs in the partnerLogin endpoint to prevent XPath Injection by replacing single quotes with XML entity equivalents.
Server Side Request Forgery	GET /api/file/google	src/file/file.controller.ts	Added validation to prevent URLs in the 'path' parameter for the Google file endpoint, mitigating SSRF risk.
XPATH Injection	GET /api/partners/searchPartners	src/partners/partners.controller.ts	Sanitized user input in the searchPartners endpoint to prevent XPath Injection by replacing single quotes with XML entity '. This ensures the input cannot alter the intended query structure.
Secret Tokens Leak	GET /api/secrets	src/app.controller.ts	The secret tokens are no longer exposed via the API endpoint, preventing unauthorized access.
Full Path Disclosure	GET /api/spawn	src/app.controller.ts	Replaced detailed error messages with generic ones to prevent full path disclosure.
Server Side Request Forgery	GET /api/file	src/file/file.controller.ts	Added validation to ensure the 'path' parameter does not contain URLs, preventing SSRF attacks.
Server Side Template Injection	POST /api/render	src/app.controller.ts	Implemented an allowlist for template rendering to prevent arbitrary code execution.
SQL Injection	GET /api/testimonials/count	src/testimonials/testimonials.service.ts, src/testimonials/testimonials.controller.ts	Replaced dynamic SQL execution with a static, parameterized query to prevent SQL injection.
Database Error Message Disclosure	GET /api/testimonials/count	src/testimonials/testimonials.controller.ts	Implemented error handling to prevent detailed database error messages from being exposed to users.
XML External Entity (XXE)	POST /api/metadata	src/app.controller.ts	Disabled external entity expansion and DTD validation in the XML parser to prevent XXE attacks.

Workflow execution details

• ✅ Repository Analysis: TypeScript, JavaScript, NestJS
• ✅ Entrypoints Discovery: 49 entrypoints
• ✅ Attack Vectors Identification
• ✅ E2E Security Tests Generation: 49 test files created
• ✅ E2E Security Tests Execution: Found 14 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 49 files removed.
• ✅ Applying Security Fixes: Generated 14 security fixes.
• ✅ E2E Security Tests Execution: Found 0 vulnerabilities.
• ✅ Workflow Wrap-Up