Skip to content

test(security): enhance API security with automated tests for multiple endpoints #550

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: stable
Choose a base branch
from
Open

test(security): enhance API security with automated tests for multiple endpoints #550

wants to merge 7 commits into from

Conversation

bararchy
Copy link
Member

@bararchy bararchy commented Mar 31, 2025
edited
Loading

Note

Fixed 13 of 13 vulnerabilities.
Please review the fixes before merging.

Vulnerability Endpoint Affected Files Resolution
Exposed Database Connection String GET /api/config src/app.controller.ts Sensitive database connection string removed from the configuration response to prevent exposure.
Secret Tokens Leak GET /api/config src/app.controller.ts Removed exposure of secret tokens by disabling the endpoint and throwing a forbidden access exception.
Server Side Request Forgery GET /api/file/aws src/file/file.controller.ts Added validation to ensure the 'path' parameter is a relative path, preventing SSRF by blocking URLs and directory traversal attempts.
Server Side Request Forgery GET /api/file/azure src/file/file.controller.ts Added URL validation to ensure the path matches the expected Azure base URL, preventing SSRF attacks.
Server Side Request Forgery GET /api/file/google src/file/file.controller.ts Added URL validation to ensure the path matches the expected Google Cloud base URL, preventing SSRF.
Unvalidated Redirect GET /api/goto src/app.controller.ts Implemented URL validation using an allowlist to prevent unvalidated redirects.
XPATH Injection GET /api/partners/partnerLogin src/partners/partners.controller.ts Implemented parameterized XPath queries to prevent injection attacks in the partnerLogin endpoint.
Server Side Request Forgery GET /api/file src/file/file.controller.ts Implemented strict validation and directory restriction for file paths to prevent SSRF and unauthorized access.
XPATH Injection GET /api/partners/searchPartners src/partners/partners.controller.ts Replaced direct XPath query string interpolation with parameterized queries to prevent injection.
Secret Tokens Leak GET /api/secrets src/app.controller.ts The secret tokens are no longer exposed via the endpoint; access is now forbidden.
[BL] Business Constraint Bypass GET /api/products/latest src/products/products.controller.ts Implemented a maximum limit of 50 on the number of products returned by the endpoint to prevent business constraint bypass.
Full Path Disclosure GET /api/spawn src/app.controller.ts Replaced detailed error messages with generic ones to prevent full path disclosure.
Server Side Template Injection POST /api/render src/app.controller.ts Implemented an allowlist for templates to prevent Server Side Template Injection.
Workflow execution details
  • Repository Analysis: TypeScript, NestJS
  • Entrypoints Discovery: 47 entrypoints
  • Attack Vectors Identification
  • E2E Security Tests Generation: 47 test files created
  • E2E Security Tests Execution: Found 13 vulnerabilities.
  • Cleanup Irrelevant Test Files: 47 files removed.
  • Applying Security Fixes: Generated 13 security fixes.
  • E2E Security Tests Execution: Found 0 vulnerabilities.
  • Workflow Wrap-Up

@bararchy bararchy changed the title ci(security): integrate Bright CI pipeline for security tests and remediation test(security): enhance API security with automated tests for multiple endpoints Mar 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@bararchy