Skip to content

ci: integrate Bright CI for security testing and remediation [166eps, 1-of-6 fixed; unknown integration] #133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
tssbox wants to merge 13 commits into
base: main
Choose a base branch
from
Open

ci: integrate Bright CI for security testing and remediation [166eps, 1-of-6 fixed; unknown integration] #133

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
031c770
chore: initialize PR with an empty commit
tssbox Aug 27, 2025
02b58bc
ci: temporarily disable workflows while addressing security issues
tssbox Aug 27, 2025
f51148e
test: add auto-generated e2e security tests
tssbox Aug 27, 2025
839e02d
ci: add CI workflow to run e2e security tests
tssbox Aug 27, 2025
13af455
test: remove completed test files that are no longer relevant
tssbox Aug 27, 2025
548342a
test: optimize security tests to focus on specific vulnerabilities
tssbox Aug 27, 2025
edc4105
fix: apply automated fixes for detected vulnerabilities
tssbox Aug 27, 2025
eabe1d9
test: remove completed test files that are no longer relevant
tssbox Aug 27, 2025
8d630a1
test: optimize security tests to focus on specific vulnerabilities
tssbox Aug 27, 2025
a3870d2
fix: apply automated fixes for detected vulnerabilities
tssbox Aug 27, 2025
df1a96f
test: optimize security tests to focus on specific vulnerabilities
tssbox Aug 27, 2025
6531b6e
fix: apply automated fixes for detected vulnerabilities
tssbox Aug 27, 2025
69c6af0
fix: apply automated fixes for detected vulnerabilities
tssbox Aug 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions .brightsec/tests/get-rest-chatbot-status.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
import { test, before, after } from 'node:test';

Check failure on line 1 in .brightsec/tests/get-rest-chatbot-status.test.ts

View workflow job for this annotation

GitHub Actions / SecTester - GET /rest/chatbot/status

.brightsec/tests/get-rest-chatbot-status.test.ts#L1 

Broken JWT Authentication vulnerability found at GET http://127.0.0.1:3000/rest/chatbot/status
Raw output 
{
  "id": "nVb1b9S2W1uRtM6DkTgf8p",
  "name": "Broken JWT Authentication",
  "severity": "High",
  "labels": [],
  "assigneeIds": [],
  "comments": [],
  "status": "recurring",
  "occurrences": 50,
  "lastReported": "2025-08-27T20:33:58.015Z",
  "discoveredAt": null,
  "resolvedAt": null,
  "createdAt": "2025-08-27T20:33:58.048Z",
  "url": "http://127.0.0.1:3000/rest/chatbot/status",
  "host": "127.0.0.1:3000",
  "method": "GET",
  "protocol": "http",
  "originalRequest": {
    "method": "GET",
    "url": "http://127.0.0.1:3000/rest/chatbot/status",
    "headers": {
      "x-recruiting": "We are hiring! Visit our careers page for more information.",
      "Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgzNH0.ImMpROp0eyLNlj5okFKxpcAaiRRdZoq75UFbMEIYToW8DVe_r9qgZoyL6FRQJmkpsvZ6k2tqbNIsqnoGShmL69Mdnh3V6884Wu7toWT2rHhr1NUK-lkCtaTi9eOEH3sHsI25RHBkTZpmLj7hxetVRsQaDWY2Mzm2ZqCn-gQSdYg",
      "Cookie": "token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgzNH0.ImMpROp0eyLNlj5okFKxpcAaiRRdZoq75UFbMEIYToW8DVe_r9qgZoyL6FRQJmkpsvZ6k2tqbNIsqnoGShmL69Mdnh3V6884Wu7toWT2rHhr1NUK-lkCtaTi9eOEH3sHsI25RHBkTZpmLj7hxetVRsQaDWY2Mzm2ZqCn-gQSdYg",
      "Connection": "close",
      "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.165 Safari/537.36"
    }
  },
  "request": {
    "method": "GET",
    "url": "http://127.0.0.1:3000/rest/chatbot/status",
    "headers": {
      "x-recruiting": "We are hiring! Visit our careers page for more information.",
      "Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgzNH0.ImMpROp0eyLNlj5okFKxpcAaiRRdZoq75UFbMEIYToW8DVe_r9qgZoyL6FRQJmkpsvZ6k2tqbNIsqnoGShmL69Mdnh3V6884Wu7toWT2rHhr1NUK-lkCtaTi9eOEH3sHsI25RHBkTZpmLj7hxetVRsQaDWY2Mzm2ZqCn-gQSdYg",
      "Cookie": "token=eyJ0eXAiOiJKV1QiLCJhbGciOiJOb25lIn0.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgzNH0.",
      "Connection": "close",
      "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.165 Safari/537.36"
    }
  },
  "response": {
    "headers": {
      "access-control-allow-origin": "*",
      "x-content-type-options": "nosniff",
      "x-frame-options": "SAMEORIGIN",
      "feature-policy": "payment 'self'",
      "x-recruiting": "/#/jobs",
      "content-type": "application/json; charset=utf-8",
      "content-length": "88",
      "etag": "W/\"58-m8V3FIrSL224h1kPmtYx3djkb90\"",
      "vary": "Accept-Encoding",
      "date": "Wed, 27 Aug 2025 20:33:57 GMT",
      "Connection": "close",
      "Cache-Control": "public, max-age=99999"
    },
    "body": "{\"action\":\"namequery\",\"body\":\"I'm sorry I didn't get your name. What shall I call you?\"}",
    "bodyUrl": null,
    "status": 200
  },
  "entryPointId": "tyd131qD3wkZVMQ2o9Uzp4",
  "tickets": [],
  "externalIssues": [],
  "issues": [
    {
      "scanId": "hgonAY9rpXCv5AkyB31qTD",
      "issueId": "nVb1b9S2W1uRtM6DkTgf8p",
      "createdAt": "2025-08-27T20:33:58.086Z"
    }
  ],
  "details": "A vulnerability was found in a JSON Web Token (JWT).\nJWT vulnerabilities enable an attacker to authenticate themselves as other users, leak information or leverage user access levels.\nValidation of a None algorithm was detected, which was triggered by switching an algorithm to None.",
  "remedy": "This can be fixed by enforcing verification by using the same algorithm as used for encryption.",
  "exposure": "Gain Privileges or Assume Identity; Bypass Protection Mechanism; Bypassing Authentication Mechanism",
  "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
  "cwe": "CWE-287",
  "resources": [
    "https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html",
    "https://docs.brightsec.com/docs/broken-jwt-authentication"
  ],
  "screenshots": [],
  "lastScanId": "hgonAY9rpXCv5AkyB31qTD",
  "projectId": "eDr1yEcB24cZ51qtsE7hy4",
  "projectIssueId": "i343Bkx8QAnyjv38TtmiMJ",
  "certainty": true,
  "scanIds": [
    "hgonAY9rpXCv5AkyB31qTD"
  ],
  "issueIds": [
    "nVb1b9S2W1uRtM6DkTgf8p"
  ],
  "scanId": "hgonAY9rpXCv5AkyB31qTD",
  "time": "2025-08-27T20:33:58.015Z",
  "type": "Broken JWT Authentication",
  "solved": false,
  "link": "https://app.brightsec.com/scans/hgonAY9rpXCv5AkyB31qTD/issues/nVb1b9S2W1uRtM6DkTgf8p"
}
import { SecRunner } from '@sectester/runner';
import { AttackParamLocation, HttpMethod } from '@sectester/scan';

const timeout = 40 * 60 * 1000;
const baseUrl = process.env.BRIGHT_TARGET_URL!;

let runner!: SecRunner;

before(async () => {
runner = new SecRunner({
hostname: process.env.BRIGHT_HOSTNAME!,
projectId: process.env.BRIGHT_PROJECT_ID!
});

await runner.init();
});

after(() => runner.clear());

test('GET /rest/chatbot/status', { signal: AbortSignal.timeout(timeout) }, async () => {
await runner
.createScan({
tests: ['jwt'],
attackParamLocations: [AttackParamLocation.HEADER],
starMetadata: { databases: ['SQLite'] }
})
.setFailFast(false)
.timeout(timeout)
.run({
method: HttpMethod.GET,
url: `${baseUrl}/rest/chatbot/status`,
headers: { 'X-Recruiting': 'We are hiring! Visit our careers page for more information.' },
auth: process.env.BRIGHT_AUTH_ID
});
});
46 changes: 46 additions & 0 deletions .brightsec/tests/post-api-addresss.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
import { test, before, after } from 'node:test';

Check failure on line 1 in .brightsec/tests/post-api-addresss.test.ts

View workflow job for this annotation

GitHub Actions / SecTester - POST /api/Addresss

.brightsec/tests/post-api-addresss.test.ts#L1 

[BL] ID Enumeration vulnerability found at POST http://127.0.0.1:3000/api/Addresss
Raw output 
{
  "id": "2ty443ANpCjtfH2dAQdYA1",
  "name": "[BL] ID Enumeration",
  "severity": "High",
  "labels": [],
  "assigneeIds": [],
  "comments": [],
  "status": "recurring",
  "occurrences": 44,
  "lastReported": "2025-08-27T20:33:42.244Z",
  "discoveredAt": null,
  "resolvedAt": null,
  "createdAt": "2025-08-27T20:33:42.287Z",
  "url": "http://127.0.0.1:3000/api/Addresss",
  "host": "127.0.0.1:3000",
  "method": "POST",
  "protocol": "http",
  "originalRequest": {
    "method": "POST",
    "url": "http://127.0.0.1:3000/api/Addresss",
    "headers": {
      "content-type": "application/json",
      "Content-Length": "154",
      "Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgxMn0.UnjxVpA_5E9G9HHBG1y9NI-O7UJmb-CDry5OwbGMgZQxH-_HAuKJgQDzwEi-9YgZM9EM0E62vcL4LcN2Y7DU0zQhwcLtvW2OuVO_ZGjV1decY-dyyFGxO4-bR_bFUARvwP1aAtyvz_8uXdspIfFiTIDKOICPK7LwUUaqGb_-1yk",
      "Cookie": "token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgxMn0.UnjxVpA_5E9G9HHBG1y9NI-O7UJmb-CDry5OwbGMgZQxH-_HAuKJgQDzwEi-9YgZM9EM0E62vcL4LcN2Y7DU0zQhwcLtvW2OuVO_ZGjV1decY-dyyFGxO4-bR_bFUARvwP1aAtyvz_8uXdspIfFiTIDKOICPK7LwUUaqGb_-1yk",
      "Connection": "close",
      "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.165 Safari/537.36"
    },
    "body": "{\"UserId\":1,\"fullName\":\"John Doe\",\"mobileNum\":1234567890,\"zipCode\":\"12345\",\"streetAddress\":\"123 Main St\",\"city\":\"Metropolis\",\"state\":\"NY\",\"country\":\"USA\"}"
  },
  "request": {
    "method": "POST",
    "url": "http://127.0.0.1:3000/api/Addresss",
    "headers": {
      "content-type": "application/json",
      "Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgxMn0.UnjxVpA_5E9G9HHBG1y9NI-O7UJmb-CDry5OwbGMgZQxH-_HAuKJgQDzwEi-9YgZM9EM0E62vcL4LcN2Y7DU0zQhwcLtvW2OuVO_ZGjV1decY-dyyFGxO4-bR_bFUARvwP1aAtyvz_8uXdspIfFiTIDKOICPK7LwUUaqGb_-1yk",
      "Cookie": "token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgxMn0.UnjxVpA_5E9G9HHBG1y9NI-O7UJmb-CDry5OwbGMgZQxH-_HAuKJgQDzwEi-9YgZM9EM0E62vcL4LcN2Y7DU0zQhwcLtvW2OuVO_ZGjV1decY-dyyFGxO4-bR_bFUARvwP1aAtyvz_8uXdspIfFiTIDKOICPK7LwUUaqGb_-1yk",
      "Connection": "close",
      "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.165 Safari/537.36",
      "Content-Length": "154"
    },
    "body": "{\"UserId\":0,\"fullName\":\"John Doe\",\"mobileNum\":1234567890,\"zipCode\":\"12345\",\"streetAddress\":\"123 Main St\",\"city\":\"Metropolis\",\"state\":\"NY\",\"country\":\"USA\"}"
  },
  "response": {
    "headers": {
      "access-control-allow-origin": "*",
      "x-content-type-options": "nosniff",
      "x-frame-options": "SAMEORIGIN",
      "feature-policy": "payment 'self'",
      "x-recruiting": "/#/jobs",
      "location": "/api/Addresss/21",
      "content-type": "application/json; charset=utf-8",
      "content-length": "268",
      "etag": "W/\"10c-XgivqmGYCK7oo1jxIM/+AH9kSpE\"",
      "vary": "Accept-Encoding",
      "date": "Wed, 27 Aug 2025 20:33:42 GMT",
      "Connection": "close",
      "Cache-Control": "public, max-age=99999"
    },
    "body": "{\"status\":\"success\",\"data\":{\"id\":21,\"UserId\":1,\"fullName\":\"John Doe\",\"mobileNum\":1234567890,\"zipCode\":\"12345\",\"streetAddress\":\"123 Main St\",\"city\":\"Metropolis\",\"state\":\"NY\",\"country\":\"USA\",\"updatedAt\":\"2025-08-27T20:33:42.222Z\",\"createdAt\":\"2025-08-27T20:33:42.222Z\"}}",
    "bodyUrl": null,
    "status": 201
  },
  "entryPointId": "jYAkKgquEh7kLhubMeXCpe",
  "tickets": [],
  "externalIssues": [],
  "issues": [
    {
      "scanId": "92WSCQi3dJ7xqPwVTHX77Q",
      "issueId": "2ty443ANpCjtfH2dAQdYA1",
      "createdAt": "2025-08-27T20:33:42.361Z"
    }
  ],
  "details": "This vulnerability allows an attacker to enumerate valid object IDs by observing the application's response to requests with valid and invalid object IDs. This information can be used to identify valid object accounts and potentially gain unauthorized access to sensitive information. An attacker can use this vulnerability to identify valid object accounts and potentially gain unauthorized access to sensitive information.",
  "remedy": "Ensure that the application verify the user's identity before returning any information about the object. Make sure that authorization checks are performed on the server side and that the application does not return any information about the object if the user is not authorized to access it.",
  "exposure": "Data leakage; Access to unauthorized information",
  "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
  "cwe": "CWE-639",
  "resources": [
    "https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account"
  ],
  "screenshots": [],
  "lastScanId": "92WSCQi3dJ7xqPwVTHX77Q",
  "projectId": "eDr1yEcB24cZ51qtsE7hy4",
  "projectIssueId": "349jHHzthhSTX7mojFFXTE",
  "certainty": true,
  "scanIds": [
    "92WSCQi3dJ7xqPwVTHX77Q"
  ],
  "issueIds": [
    "2ty443ANpCjtfH2dAQdYA1"
  ],
  "scanId": "92WSCQi3dJ7xqPwVTHX77Q",
  "time": "2025-08-27T20:33:42.244Z",
  "type": "[BL] ID Enumeration",
  "solved": false,
  "link": "https://app.brightsec.com/scans/92WSCQi3dJ7xqPwVTHX77Q/issues/2ty443ANpCjtfH2dAQdYA1"
}
import { SecRunner } from '@sectester/runner';
import { AttackParamLocation, HttpMethod } from '@sectester/scan';

const timeout = 40 * 60 * 1000;
const baseUrl = process.env.BRIGHT_TARGET_URL!;

let runner!: SecRunner;

before(async () => {
runner = new SecRunner({
hostname: process.env.BRIGHT_HOSTNAME!,
projectId: process.env.BRIGHT_PROJECT_ID!
});

await runner.init();
});

after(() => runner.clear());

test('POST /api/addresss', { signal: AbortSignal.timeout(timeout) }, async () => {
await runner
.createScan({
tests: ['id_enumeration'],
attackParamLocations: [AttackParamLocation.BODY],
starMetadata: { databases: ['SQLite'] }
})
.setFailFast(false)
.timeout(timeout)
.run({
method: HttpMethod.POST,
url: `${baseUrl}/api/Addresss`,
body: {
UserId: 1,
fullName: 'John Doe',
mobileNum: 1234567890,
zipCode: '12345',
streetAddress: '123 Main St',
city: 'Metropolis',
state: 'NY',
country: 'USA'
},
headers: { 'Content-Type': 'application/json' },
auth: process.env.BRIGHT_AUTH_ID
});
});
39 changes: 39 additions & 0 deletions .brightsec/tests/post-rest-products-reviews.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
import { test, before, after } from 'node:test';

Check failure on line 1 in .brightsec/tests/post-rest-products-reviews.test.ts

View workflow job for this annotation

GitHub Actions / SecTester (3 issues)

.brightsec/tests/post-rest-products-reviews.test.ts#L1 

MongoDB Injection vulnerability found at POST http://127.0.0.1:3000/rest/products/reviews
Raw output 
{
  "id": "vSFipMD7AH8xPiwj3JYmm9",
  "name": "MongoDB Injection",
  "severity": "Critical",
  "labels": [],
  "assigneeIds": [],
  "comments": [],
  "status": "recurring",
  "occurrences": 14,
  "lastReported": "2025-08-27T20:33:36.206Z",
  "discoveredAt": null,
  "resolvedAt": null,
  "createdAt": "2025-08-27T20:33:37.034Z",
  "url": "http://127.0.0.1:3000/rest/products/reviews",
  "host": "127.0.0.1:3000",
  "method": "POST",
  "protocol": "http",
  "originalRequest": {
    "method": "POST",
    "url": "http://127.0.0.1:3000/rest/products/reviews",
    "headers": {
      "content-type": "application/json",
      "Content-Length": "33",
      "Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgxMH0.uFB8zEvsf11wrKMZB17lmI57kxJFazXnGKur-lDbu5WXCCv0aCfndoItmG_gSkmn2PbAOoL30NQDA_LSxkvjMigrxuEauop7kf-wbkoC3ArOQ5jJbW6Hji2Vd1PMlZAE8AQTuZkUoDkvYggGNdAwc-65KILxF4lekAfafLTPEiU",
      "Cookie": "token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgxMH0.uFB8zEvsf11wrKMZB17lmI57kxJFazXnGKur-lDbu5WXCCv0aCfndoItmG_gSkmn2PbAOoL30NQDA_LSxkvjMigrxuEauop7kf-wbkoC3ArOQ5jJbW6Hji2Vd1PMlZAE8AQTuZkUoDkvYggGNdAwc-65KILxF4lekAfafLTPEiU",
      "Connection": "close",
      "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.165 Safari/537.36"
    },
    "body": "{\"id\":\"507f1f77bcf86cd799439011\"}"
  },
  "request": {
    "method": "POST",
    "url": "http://127.0.0.1:3000/rest/products/reviews",
    "headers": {
      "content-type": "application/json",
      "Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgxMH0.uFB8zEvsf11wrKMZB17lmI57kxJFazXnGKur-lDbu5WXCCv0aCfndoItmG_gSkmn2PbAOoL30NQDA_LSxkvjMigrxuEauop7kf-wbkoC3ArOQ5jJbW6Hji2Vd1PMlZAE8AQTuZkUoDkvYggGNdAwc-65KILxF4lekAfafLTPEiU",
      "Cookie": "token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgxMH0.uFB8zEvsf11wrKMZB17lmI57kxJFazXnGKur-lDbu5WXCCv0aCfndoItmG_gSkmn2PbAOoL30NQDA_LSxkvjMigrxuEauop7kf-wbkoC3ArOQ5jJbW6Hji2Vd1PMlZAE8AQTuZkUoDkvYggGNdAwc-65KILxF4lekAfafLTPEiU",
      "Connection": "close",
      "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.165 Safari/537.36",
      "Content-Length": "22"
    },
    "body": "{\"id\":{\"$regex\":\".*\"}}"
  },
  "response": {
    "headers": {
      "access-control-allow-origin": "*",
      "x-content-type-options": "nosniff",
      "x-frame-options": "SAMEORIGIN",
      "feature-policy": "payment 'self'",
      "x-recruiting": "/#/jobs",
      "content-type": "application/json; charset=utf-8",
      "content-length": "451",
      "etag": "W/\"1c3-Jaq2tdkUPAmse1TjTsSY/KJ6gv8\"",
      "vary": "Accept-Encoding",
      "date": "Wed, 27 Aug 2025 20:33:36 GMT",
      "Connection": "close",
      "Cache-Control": "public, max-age=99999"
    },
    "body": "{\"modified\":1,\"original\":[{\"message\":\"Here yo' learn how tha fuck ta not show yo' goddamn phone on camera!\",\"author\":\"mc.safesearch@juice-sh.op\",\"product\":36,\"likesCount\":2,\"likedBy\":[\"admin@juice-sh.op\"],\"_id\":\"2vwt9WHFpgtYsvfdg\"}],\"updated\":[{\"message\":\"Here yo' learn how tha fuck ta not show yo' goddamn phone on camera!\",\"author\":\"mc.safesearch@juice-sh.op\",\"product\":36,\"likesCount\":2,\"likedBy\":[\"admin@juice-sh.op\"],\"_id\":\"2vwt9WHFpgtYsvfdg\"}]}",
    "bodyUrl": null,
    "status": 200
  },
  "entryPointId": "eDqe1J6GLoLfNeXen9RqSe",
  "tickets": [],
  "externalIssues": [],
  "issues": [
    {
      "scanId": "5tFcdWtDDHpbGyxFtAzTqR",
      "issueId": "vSFipMD7AH8xPiwj3JYmm9",
      "createdAt": "2025-08-27T20:33:37.128Z"
    }
  ],
  "details": "The target application fails to properly validate user input before using it in a MongoDB query. This allows an attacker to inject MongoDB query language syntax into the input fields, which can lead to a variety of attacks.",
  "remedy": "Ensure that all user input is properly validated and sanitized before being used in a MongoDB query. Use parameterized queries or prepared statements to prevent injection attacks.",
  "exposure": "Bypass Protection Mechanism; Read Application Data; Modify Application Data",
  "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "cwe": "CWE-284",
  "resources": [
    "https://cwe.mitre.org/data/definitions/943.html",
    "https://www.owasp.org/index.php/Testing_for_NoSQL_injection"
  ],
  "screenshots": [],
  "lastScanId": "5tFcdWtDDHpbGyxFtAzTqR",
  "projectId": "eDr1yEcB24cZ51qtsE7hy4",
  "projectIssueId": "fqsuwScmDZ9e8aKaKkEpxP",
  "certainty": false,
  "scanIds": [
    "5tFcdWtDDHpbGyxFtAzTqR"
  ],
  "issueIds": [
    "vSFipMD7AH8xPiwj3JYmm9"
  ],
  "scanId": "5tFcdWtDDHpbGyxFtAzTqR",
  "time": "2025-08-27T20:33:36.206Z",
  "type": "MongoDB Injection",
  "solved": false,
  "link": "https://app.brightsec.com/scans/5tFcdWtDDHpbGyxFtAzTqR/issues/vSFipMD7AH8xPiwj3JYmm9"
}

Check failure on line 1 in .brightsec/tests/post-rest-products-reviews.test.ts

View workflow job for this annotation

GitHub Actions / SecTester (3 issues)

.brightsec/tests/post-rest-products-reviews.test.ts#L1 

MongoDB Injection vulnerability found at POST http://127.0.0.1:3000/rest/products/reviews
Raw output 
{
  "id": "o2R2rRf3M2zZYy84ZKkHVV",
  "name": "MongoDB Injection",
  "severity": "Critical",
  "labels": [],
  "assigneeIds": [],
  "comments": [],
  "status": "recurring",
  "occurrences": 14,
  "lastReported": "2025-08-27T20:33:36.206Z",
  "discoveredAt": null,
  "resolvedAt": null,
  "createdAt": "2025-08-27T20:33:37.033Z",
  "url": "http://127.0.0.1:3000/rest/products/reviews",
  "host": "127.0.0.1:3000",
  "method": "POST",
  "protocol": "http",
  "originalRequest": {
    "method": "POST",
    "url": "http://127.0.0.1:3000/rest/products/reviews",
    "headers": {
      "content-type": "application/json",
      "Content-Length": "33",
      "Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgxMH0.uFB8zEvsf11wrKMZB17lmI57kxJFazXnGKur-lDbu5WXCCv0aCfndoItmG_gSkmn2PbAOoL30NQDA_LSxkvjMigrxuEauop7kf-wbkoC3ArOQ5jJbW6Hji2Vd1PMlZAE8AQTuZkUoDkvYggGNdAwc-65KILxF4lekAfafLTPEiU",
      "Cookie": "token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgxMH0.uFB8zEvsf11wrKMZB17lmI57kxJFazXnGKur-lDbu5WXCCv0aCfndoItmG_gSkmn2PbAOoL30NQDA_LSxkvjMigrxuEauop7kf-wbkoC3ArOQ5jJbW6Hji2Vd1PMlZAE8AQTuZkUoDkvYggGNdAwc-65KILxF4lekAfafLTPEiU",
      "Connection": "close",
      "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.165 Safari/537.36"
    },
    "body": "{\"id\":\"507f1f77bcf86cd799439011\"}"
  },
  "request": {
    "method": "POST",
    "url": "http://127.0.0.1:3000/rest/products/reviews",
    "headers": {
      "content-type": "application/json",
      "Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgxMH0.uFB8zEvsf11wrKMZB17lmI57kxJFazXnGKur-lDbu5WXCCv0aCfndoItmG_gSkmn2PbAOoL30NQDA_LSxkvjMigrxuEauop7kf-wbkoC3ArOQ5jJbW6Hji2Vd1PMlZAE8AQTuZkUoDkvYggGNdAwc-65KILxF4lekAfafLTPEiU",
      "Cookie": "token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgxMH0.uFB8zEvsf11wrKMZB17lmI57kxJFazXnGKur-lDbu5WXCCv0aCfndoItmG_gSkmn2PbAOoL30NQDA_LSxkvjMigrxuEauop7kf-wbkoC3ArOQ5jJbW6Hji2Vd1PMlZAE8AQTuZkUoDkvYggGNdAwc-65KILxF4lekAfafLTPEiU",
      "Connection": "close",
      "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.165 Safari/537.36",
      "Content-Length": "27"
    },
    "body": "{\"id\":{\"$gt\":\"ec62d4b17b\"}}"
  },
  "response": {
    "headers": {
      "access-control-allow-origin": "*",
      "x-content-type-options": "nosniff",
      "x-frame-options": "SAMEORIGIN",
      "feature-policy": "payment 'self'",
      "x-recruiting": "/#/jobs",
      "content-type": "application/json; charset=utf-8",
      "content-length": "336",
      "etag": "W/\"150-VXOGIm+px2J27yvE/Um1mWWgYJM\"",
      "vary": "Accept-Encoding",
      "date": "Wed, 27 Aug 2025 20:33:35 GMT",
      "Connection": "close",
      "Cache-Control": "public, max-age=99999"
    },
    "body": "{\"modified\":1,\"original\":[{\"message\":\"I'll be there! Will you, too?\",\"author\":\"bjoern@owasp.org\",\"product\":44,\"likesCount\":1,\"likedBy\":[],\"_id\":\"g2iyYgyvSpn4uT9RT\"}],\"updated\":[{\"message\":\"I'll be there! Will you, too?\",\"author\":\"bjoern@owasp.org\",\"product\":44,\"likesCount\":1,\"likedBy\":[\"admin@juice-sh.op\"],\"_id\":\"g2iyYgyvSpn4uT9RT\"}]}",
    "bodyUrl": null,
    "status": 200
  },
  "entryPointId": "eDqe1J6GLoLfNeXen9RqSe",
  "tickets": [],
  "externalIssues": [],
  "issues": [
    {
      "scanId": "5tFcdWtDDHpbGyxFtAzTqR",
      "issueId": "o2R2rRf3M2zZYy84ZKkHVV",
      "createdAt": "2025-08-27T20:33:37.117Z"
    }
  ],
  "details": "The target application fails to properly validate user input before using it in a MongoDB query. This allows an attacker to inject MongoDB query language syntax into the input fields, which can lead to a variety of attacks.",
  "remedy": "Ensure that all user input is properly validated and sanitized before being used in a MongoDB query. Use parameterized queries or prepared statements to prevent injection attacks.",
  "exposure": "Bypass Protection Mechanism; Read Application Data; Modify Application Data",
  "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "cwe": "CWE-284",
  "resources": [
    "https://cwe.mitre.org/data/definitions/943.html",
    "https://www.owasp.org/index.php/Testing_for_NoSQL_injection"
  ],
  "screenshots": [],
  "lastScanId": "5tFcdWtDDHpbGyxFtAzTqR",
  "projectId": "eDr1yEcB24cZ51qtsE7hy4",
  "projectIssueId": "fqsuwScmDZ9e8aKaKkEpxP",
  "certainty": false,
  "scanIds": [
    "5tFcdWtDDHpbGyxFtAzTqR"
  ],
  "issueIds": [
    "o2R2rRf3M2zZYy84ZKkHVV"
  ],
  "scanId": "5tFcdWtDDHpbGyxFtAzTqR",
  "time": "2025-08-27T20:33:35.086Z",
  "type": "MongoDB Injection",
  "solved": false,
  "link": "https://app.brightsec.com/scans/5tFcdWtDDHpbGyxFtAzTqR/issues/o2R2rRf3M2zZYy84ZKkHVV"
}

Check failure on line 1 in .brightsec/tests/post-rest-products-reviews.test.ts

View workflow job for this annotation

GitHub Actions / SecTester (3 issues)

.brightsec/tests/post-rest-products-reviews.test.ts#L1 

MongoDB Injection vulnerability found at POST http://127.0.0.1:3000/rest/products/reviews
Raw output 
{
  "id": "fDoj5ZFXgR2A36LfVgLf38",
  "name": "MongoDB Injection",
  "severity": "Critical",
  "labels": [],
  "assigneeIds": [],
  "comments": [],
  "status": "recurring",
  "occurrences": 14,
  "lastReported": "2025-08-27T20:33:36.206Z",
  "discoveredAt": null,
  "resolvedAt": null,
  "createdAt": "2025-08-27T20:33:37.033Z",
  "url": "http://127.0.0.1:3000/rest/products/reviews",
  "host": "127.0.0.1:3000",
  "method": "POST",
  "protocol": "http",
  "originalRequest": {
    "method": "POST",
    "url": "http://127.0.0.1:3000/rest/products/reviews",
    "headers": {
      "content-type": "application/json",
      "Content-Length": "33",
      "Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgxMH0.uFB8zEvsf11wrKMZB17lmI57kxJFazXnGKur-lDbu5WXCCv0aCfndoItmG_gSkmn2PbAOoL30NQDA_LSxkvjMigrxuEauop7kf-wbkoC3ArOQ5jJbW6Hji2Vd1PMlZAE8AQTuZkUoDkvYggGNdAwc-65KILxF4lekAfafLTPEiU",
      "Cookie": "token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgxMH0.uFB8zEvsf11wrKMZB17lmI57kxJFazXnGKur-lDbu5WXCCv0aCfndoItmG_gSkmn2PbAOoL30NQDA_LSxkvjMigrxuEauop7kf-wbkoC3ArOQ5jJbW6Hji2Vd1PMlZAE8AQTuZkUoDkvYggGNdAwc-65KILxF4lekAfafLTPEiU",
      "Connection": "close",
      "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.165 Safari/537.36"
    },
    "body": "{\"id\":\"507f1f77bcf86cd799439011\"}"
  },
  "request": {
    "method": "POST",
    "url": "http://127.0.0.1:3000/rest/products/reviews",
    "headers": {
      "content-type": "application/json",
      "Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgxMH0.uFB8zEvsf11wrKMZB17lmI57kxJFazXnGKur-lDbu5WXCCv0aCfndoItmG_gSkmn2PbAOoL30NQDA_LSxkvjMigrxuEauop7kf-wbkoC3ArOQ5jJbW6Hji2Vd1PMlZAE8AQTuZkUoDkvYggGNdAwc-65KILxF4lekAfafLTPEiU",
      "Cookie": "token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdGF0dXMiOiJzdWNjZXNzIiwiZGF0YSI6eyJpZCI6MSwidXNlcm5hbWUiOiIiLCJlbWFpbCI6ImFkbWluQGp1aWNlLXNoLm9wIiwicGFzc3dvcmQiOiIwMTkyMDIzYTdiYmQ3MzI1MDUxNmYwNjlkZjE4YjUwMCIsInJvbGUiOiJhZG1pbiIsImRlbHV4ZVRva2VuIjoiIiwibGFzdExvZ2luSXAiOiIiLCJwcm9maWxlSW1hZ2UiOiJhc3NldHMvcHVibGljL2ltYWdlcy91cGxvYWRzL2RlZmF1bHRBZG1pbi5wbmciLCJ0b3RwU2VjcmV0IjoiIiwiaXNBY3RpdmUiOnRydWUsImNyZWF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsInVwZGF0ZWRBdCI6IjIwMjUtMDgtMjcgMjA6MzI6NDAuMjQyICswMDowMCIsImRlbGV0ZWRBdCI6bnVsbH0sImlhdCI6MTc1NjMyNjgxMH0.uFB8zEvsf11wrKMZB17lmI57kxJFazXnGKur-lDbu5WXCCv0aCfndoItmG_gSkmn2PbAOoL30NQDA_LSxkvjMigrxuEauop7kf-wbkoC3ArOQ5jJbW6Hji2Vd1PMlZAE8AQTuZkUoDkvYggGNdAwc-65KILxF4lekAfafLTPEiU",
      "Connection": "close",
      "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.6998.165 Safari/537.36",
      "Content-Length": "27"
    },
    "body": "{\"id\":{\"$ne\":\"62eac8930f\"}}"
  },
  "response": {
    "headers": {
      "access-control-allow-origin": "*",
      "x-content-type-options": "nosniff",
      "x-frame-options": "SAMEORIGIN",
      "feature-policy": "payment 'self'",
      "x-recruiting": "/#/jobs",
      "content-type": "application/json; charset=utf-8",
      "content-length": "432",
      "etag": "W/\"1b0-N8MMf+M9EuXO6WfxE0EbJt6z2fg\"",
      "vary": "Accept-Encoding",
      "date": "Wed, 27 Aug 2025 20:33:35 GMT",
      "Connection": "close",
      "Cache-Control": "public, max-age=99999"
    },
    "body": "{\"modified\":1,\"original\":[{\"message\":\"Here yo' learn how tha fuck ta not show yo' goddamn phone on camera!\",\"author\":\"mc.safesearch@juice-sh.op\",\"product\":36,\"likesCount\":1,\"likedBy\":[],\"_id\":\"2vwt9WHFpgtYsvfdg\"}],\"updated\":[{\"message\":\"Here yo' learn how tha fuck ta not show yo' goddamn phone on camera!\",\"author\":\"mc.safesearch@juice-sh.op\",\"product\":36,\"likesCount\":1,\"likedBy\":[\"admin@juice-sh.op\"],\"_id\":\"2vwt9WHFpgtYsvfdg\"}]}",
    "bodyUrl": null,
    "status": 200
  },
  "entryPointId": "eDqe1J6GLoLfNeXen9RqSe",
  "tickets": [],
  "externalIssues": [],
  "issues": [
    {
      "scanId": "5tFcdWtDDHpbGyxFtAzTqR",
      "issueId": "fDoj5ZFXgR2A36LfVgLf38",
      "createdAt": "2025-08-27T20:33:37.122Z"
    }
  ],
  "details": "The target application fails to properly validate user input before using it in a MongoDB query. This allows an attacker to inject MongoDB query language syntax into the input fields, which can lead to a variety of attacks.",
  "remedy": "Ensure that all user input is properly validated and sanitized before being used in a MongoDB query. Use parameterized queries or prepared statements to prevent injection attacks.",
  "exposure": "Bypass Protection Mechanism; Read Application Data; Modify Application Data",
  "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "cwe": "CWE-284",
  "resources": [
    "https://cwe.mitre.org/data/definitions/943.html",
    "https://www.owasp.org/index.php/Testing_for_NoSQL_injection"
  ],
  "screenshots": [],
  "lastScanId": "5tFcdWtDDHpbGyxFtAzTqR",
  "projectId": "eDr1yEcB24cZ51qtsE7hy4",
  "projectIssueId": "fqsuwScmDZ9e8aKaKkEpxP",
  "certainty": false,
  "scanIds": [
    "5tFcdWtDDHpbGyxFtAzTqR"
  ],
  "issueIds": [
    "fDoj5ZFXgR2A36LfVgLf38"
  ],
  "scanId": "5tFcdWtDDHpbGyxFtAzTqR",
  "time": "2025-08-27T20:33:35.570Z",
  "type": "MongoDB Injection",
  "solved": false,
  "link": "https://app.brightsec.com/scans/5tFcdWtDDHpbGyxFtAzTqR/issues/fDoj5ZFXgR2A36LfVgLf38"
}
import { SecRunner } from '@sectester/runner';
import { AttackParamLocation, HttpMethod } from '@sectester/scan';

const timeout = 40 * 60 * 1000;
const baseUrl = process.env.BRIGHT_TARGET_URL!;

let runner!: SecRunner;

before(async () => {
runner = new SecRunner({
hostname: process.env.BRIGHT_HOSTNAME!,
projectId: process.env.BRIGHT_PROJECT_ID!
});

await runner.init();
});

after(() => runner.clear());

test('POST /rest/products/reviews', { signal: AbortSignal.timeout(timeout) }, async () => {
await runner
.createScan({
tests: ['nosql'],
attackParamLocations: [AttackParamLocation.BODY],
starMetadata: { databases: ['SQLite'] }
})
.setFailFast(false)
.timeout(timeout)
.run({
method: HttpMethod.POST,
url: `${baseUrl}/rest/products/reviews`,
body: {
id: '507f1f77bcf86cd799439011'
},
headers: { 'Content-Type': 'application/json' },
auth: process.env.BRIGHT_AUTH_ID
});
});
44 changes: 44 additions & 0 deletions .github/workflows/bright.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: Bright

on:
pull_request:
branches:
- '**'

permissions:
checks: write
contents: read
id-token: write

jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v4

- name: Set up Node.js 22.x
uses: actions/setup-node@v4
with:
node-version: 22.x

- name: Install application dependencies
run: npm install

- name: Start application
run: |
npm start &
until nc -zv 127.0.0.1 3000; do sleep 1; done

- name: Install SecTesterJS dependencies
run: npm i --save=false --prefix .brightsec @sectester/core @sectester/repeater @sectester/scan @sectester/runner @sectester/reporter

- name: Run security tests
env:
BRIGHT_HOSTNAME: ${{ vars.BRIGHT_HOSTNAME }}
BRIGHT_PROJECT_ID: ${{ vars.BRIGHT_PROJECT_ID }}
BRIGHT_AUTH_ID: ${{ vars.BRIGHT_AUTH_ID }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
BRIGHT_TOKEN: ${{ secrets.BRIGHT_TOKEN }}
BRIGHT_TARGET_URL: http://127.0.0.1:3000
run: node --experimental-transform-types --experimental-strip-types --experimental-detect-module --disable-warning=MODULE_TYPELESS_PACKAGE_JSON --disable-warning=ExperimentalWarning --test-force-exit --test-concurrency=4 --test .brightsec/tests/*.test.ts
64 changes: 24 additions & 40 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,25 @@
name: "CI/CD Pipeline"
on:
push:
branches-ignore:
- l10n_develop
- gh-pages
paths-ignore:
- '*.md'
- 'LICENSE'
- 'monitoring/grafana-dashboard.json'
- 'screenshots/**'
tags-ignore:
- '*'
pull_request:
paths-ignore:
- '*.md'
- 'LICENSE'
- 'data/static/i18n/*.json'
- 'frontend/src/assets/i18n/*.json'
workflow_dispatch:
# on:
# push:
# branches-ignore:
# - l10n_develop
# - gh-pages
# paths-ignore:
# - '*.md'
# - 'LICENSE'
# - 'monitoring/grafana-dashboard.json'
# - 'screenshots/**'
# tags-ignore:
# - '*'
# pull_request:
# paths-ignore:
# - '*.md'
# - 'LICENSE'
# - 'data/static/i18n/*.json'
# - 'frontend/src/assets/i18n/*.json'

env:
NODE_DEFAULT_VERSION: 22
NODE_OPTIONS: "--max_old_space_size=4096"
Expand All @@ -40,18 +43,8 @@ jobs:
run: npm run lint
- name: "Lint customization configs"
run: >
npm run lint:config -- -f ./config/7ms.yml &&
npm run lint:config -- -f ./config/addo.yml &&
npm run lint:config -- -f ./config/bodgeit.yml &&
npm run lint:config -- -f ./config/ctf.yml &&
npm run lint:config -- -f ./config/default.yml &&
npm run lint:config -- -f ./config/fbctf.yml &&
npm run lint:config -- -f ./config/juicebox.yml &&
npm run lint:config -- -f ./config/mozilla.yml &&
npm run lint:config -- -f ./config/oss.yml &&
npm run lint:config -- -f ./config/quiet.yml &&
npm run lint:config -- -f ./config/tutorial.yml &&
npm run lint:config -- -f ./config/unsafe.yml
npm run lint:config -- -f ./config/7ms.yml && npm run lint:config -- -f ./config/addo.yml && npm run lint:config -- -f ./config/bodgeit.yml && npm run lint:config -- -f ./config/ctf.yml && npm run lint:config -- -f ./config/default.yml && npm run lint:config -- -f ./config/fbctf.yml && npm run lint:config -- -f ./config/juicebox.yml && npm run lint:config -- -f ./config/mozilla.yml && npm run lint:config -- -f ./config/oss.yml && npm run lint:config -- -f ./config/quiet.yml && npm run lint:config -- -f ./config/tutorial.yml && npm run lint:config -- -f ./config/unsafe.yml

coding-challenge-rsn:
runs-on: windows-latest
steps:
Expand Down Expand Up @@ -184,17 +177,8 @@ jobs:
timeout_minutes: 30
max_attempts: 3
command: >
NODE_ENV=7ms npm run test:server &&
NODE_ENV=addo npm run test:server &&
NODE_ENV=bodgeit npm run test:server &&
NODE_ENV=ctf npm run test:server &&
NODE_ENV=fbctf npm run test:server &&
NODE_ENV=juicebox npm run test:server &&
NODE_ENV=mozilla npm run test:server &&
NODE_ENV=oss npm run test:server &&
NODE_ENV=quiet npm run test:server &&
NODE_ENV=tutorial npm run test:server &&
NODE_ENV=unsafe npm run test:server
NODE_ENV=7ms npm run test:server && NODE_ENV=addo npm run test:server && NODE_ENV=bodgeit npm run test:server && NODE_ENV=ctf npm run test:server && NODE_ENV=fbctf npm run test:server && NODE_ENV=juicebox npm run test:server && NODE_ENV=mozilla npm run test:server && NODE_ENV=oss npm run test:server && NODE_ENV=quiet npm run test:server && NODE_ENV=tutorial npm run test:server && NODE_ENV=unsafe npm run test:server

e2e:
runs-on: ${{ matrix.os }}
strategy:
Expand Down
37 changes: 19 additions & 18 deletions .github/workflows/codeql-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
name: "CodeQL Scan"

on:
push:
pull_request:
workflow_dispatch:
# on:
# push:
# pull_request:

jobs:
analyze:
Expand All @@ -15,19 +16,19 @@ jobs:
strategy:
fail-fast: false
matrix:
language: [ 'javascript-typescript' ]
language: ['javascript-typescript']
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-extended
config: |
paths-ignore:
- 'data/static/codefixes'
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-extended
config: |
paths-ignore:
- 'data/static/codefixes'
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
53 changes: 53 additions & 0 deletions .github/workflows/composite/configure-bright-credentials/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
name: 'Configure BrightSec credentials'

inputs:
BRIGHT_HOSTNAME:
description: 'Hostname for the BrightSec environment'
required: true
BRIGHT_PROJECT_ID:
description: 'Project ID for BrightSec'
required: true
BRIGHT_TOKEN:
description: 'Pre-configured token'
required: false

runs:
using: 'composite'
steps:
- id: configure_env_from_input
name: 'Set existing token in env'
shell: bash
if: ${{ inputs.BRIGHT_TOKEN != '' }}
env:
BRIGHT_TOKEN: ${{ inputs.BRIGHT_TOKEN }}
run: |
echo "BRIGHT_TOKEN=${BRIGHT_TOKEN}" >> $GITHUB_ENV

- id: configure_bright_credentials_through_oidc
name: 'Exchange OIDC credentials for Bright token'
shell: bash
if: ${{ inputs.BRIGHT_TOKEN == '' }}
env:
BRIGHT_HOSTNAME: ${{ inputs.BRIGHT_HOSTNAME }}
BRIGHT_PROJECT_ID: ${{ inputs.BRIGHT_PROJECT_ID }}
run: |
# Retrieve OIDC token from GitHub
OIDC_TOKEN=$(curl -sS -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"${ACTIONS_ID_TOKEN_REQUEST_URL}" | jq -r '.value')

# Post the token to BrightSec
RESPONSE=$(curl -s -X POST "https://${BRIGHT_HOSTNAME}/api/v1/projects/${BRIGHT_PROJECT_ID}/api-keys/oidc" \
-H "Content-Type: application/json" \
-d "{\"token\": \"${OIDC_TOKEN}\"}")

if ! echo "$RESPONSE" | jq -e . > /dev/null 2>&1; then
echo "Error: $RESPONSE" 1>&2
exit 1
fi

# Extract the pureKey
PURE_KEY=$(echo "$RESPONSE" | jq -r '.pureKey')

# Mask and store in environment
echo "::add-mask::$PURE_KEY"
echo "BRIGHT_TOKEN=$PURE_KEY" >> $GITHUB_ENV
Loading
Loading