test(security): add automated security tests for API endpoints using Brightsec

[bararchy]

Note

Fixed 13 of 13 vulnerabilities.
Please review the fixes before merging.

Vulnerability	Endpoint	Affected Files	Resolution
Secret Tokens Leak	GET /api/config	src/app.controller.ts	Sensitive information is removed from the configuration response to prevent secret tokens from being exposed.
Server Side Request Forgery	GET /api/file/aws	src/file/file.controller.ts	Added validation to prevent URL schemas in the path parameter to mitigate SSRF vulnerability.
Server Side Request Forgery	GET /api/file/azure	src/file/file.controller.ts	Added validation to ensure the 'path' parameter does not contain URL schemas, preventing SSRF attacks.
Unvalidated Redirect	GET /api/goto	src/app.controller.ts	Implemented URL validation using an allowlist to prevent unvalidated redirects.
XPATH Injection	GET /api/partners/partnerLogin	src/partners/partners.controller.ts	Sanitized user inputs in the partnerLogin method to prevent XPath Injection by replacing single quotes with XML entity equivalents.
Server Side Request Forgery	GET /api/file	src/file/file.controller.ts	Added validation to ensure the 'path' parameter is not a URL, preventing SSRF attacks.
XPATH Injection	GET /api/partners/searchPartners	src/partners/partners.controller.ts	Sanitized user input in the searchPartners endpoint to prevent XPath Injection by replacing single quotes with XML entity '. This ensures the input cannot alter the intended query structure.
[BL] Business Constraint Bypass	GET /api/products/latest	src/products/products.controller.ts	Implemented a maximum limit of 50 on the number of products returned by the endpoint to prevent business constraint bypass.
Secret Tokens Leak	GET /api/secrets	src/app.controller.ts	Sensitive tokens are removed from the response, ensuring they are not exposed through the API.
Server Side Template Injection	POST /api/render	src/app.controller.ts	Implemented allowlist validation for templates to prevent arbitrary code execution.
SQL Injection	GET /api/testimonials/count	src/testimonials/testimonials.service.ts, src/testimonials/testimonials.controller.ts	Replaced dynamic SQL execution with a static query to count testimonials, eliminating SQL injection risk.
Database Error Message Disclosure	GET /api/testimonials/count	src/testimonials/testimonials.controller.ts	Implemented error handling to prevent detailed database error messages from being exposed to users.
XML External Entity (XXE)	POST /api/metadata	src/app.controller.ts	Disabled external entity expansion and DTD validation in XML parser to prevent XXE attacks.

Workflow execution details

• ✅ Repository Analysis: TypeScript, JavaScript, NestJS
• ✅ Entrypoints Discovery: 49 entrypoints
• ✅ Attack Vectors Identification
• ✅ E2E Security Tests Generation: 49 test files created
• ✅ E2E Security Tests Execution: Found 13 vulnerabilities.
• ✅ Cleanup Irrelevant Test Files: 49 files removed.
• ✅ Applying Security Fixes: Generated 13 security fixes.
• ✅ E2E Security Tests Execution: Found 0 vulnerabilities.
• ✅ Workflow Wrap-Up