Skip to content

ci: integrate Bright CI pipeline for security testing and remediation#37

Open
tssbox wants to merge 591 commits intomasterfrom
bright/b24891c3-ab12-4737-9fcd-f8abd6c6800a
Open

ci: integrate Bright CI pipeline for security testing and remediation#37
tssbox wants to merge 591 commits intomasterfrom
bright/b24891c3-ab12-4737-9fcd-f8abd6c6800a

Conversation

@tssbox
Copy link
Copy Markdown

@tssbox tssbox commented Nov 30, 2025
edited
Loading

Note

Fixed 1 of 2 vulnerabilities.
Please review the fixes before merging.

Fix Vulnerability Endpoint Affected Files Resolution
[Critical] SQL Injection GET /rest/products/search routes/search.ts Replaced dynamic SQL query with a parameterized query to prevent SQL injection.
[Medium] Unvalidated Redirect GET /ftp/acquisitions.md routes/redirect.ts Attempted fix: Added a check to ensure the URL is not an unintended redirect by using an allowlist before redirecting.
Workflow execution details
  • Repository Analysis: TypeScript, Express
  • Entrypoints Discovery: 161 entrypoints found
  • Attack Vectors Identification
  • E2E Security Tests Generation: 161 test files generated
  • E2E Security Tests Execution: 2 vulnerabilities found
  • Cleanup Irrelevant Test Files: 159 test files removed
  • Applying Security Fixes: 2 fixes generated
  • Workflow Wrap-Up

bkimminich and others added 30 commits September 2, 2025 18:21
@bkimminich
New translations en.json (Polish)
230a43e 
[ci skip]
Signed-off-by: Björn Kimminich <[email protected]>
@J12934
Update juicy-chat-bot version to 0.9.0
8470f16 
Updating the e2e with it to use the new processQuery syntax (had to be
renamed in the libary as process is a reserved keyword in js and was
causing problems in typescript)

Signed-off-by: Jannik Hollenbach <[email protected]>
@J12934
Drop unused linter dependency
6527b45 
Was conflicting with newer angular versions

Signed-off-by: Jannik Hollenbach <[email protected]>
@J12934
Update angular eslint builder to v20
c00e314 
Was still depending on some angular 18 stuff

Signed-off-by: Jannik Hollenbach <[email protected]>
@J12934
Slightly update ng2-file-upload to at least support angular 19 and add a
bfb9790 
overrides section to mark npm that it is acutally ok

Signed-off-by: Jannik Hollenbach <[email protected]>
@J12934
Merge pull request juice-shop#2725 from juice-shop/fix/update-to-juic…
36870cb 
…y-chat-bot-0-9-0

Update juicy-chat-bot version to 0.9.0
@J12934
Merge pull request juice-shop#2726 from juice-shop/fix/slight-depende…
cde6136 
…ncy-mess-improvements

Update angular related frontend dependencies still forcing us to use legacy-peer-deps
@bkimminich
New translations en.json (Polish)
305ea12 
[ci skip]
Signed-off-by: Björn Kimminich <[email protected]>
@bkimminich
New translations en.json (Polish)
cc1ae8f 
[ci skip]
Signed-off-by: Björn Kimminich <[email protected]>
@bogminic
refactor: remove deprecated ESLint configuration and update Angular C…
54dfe6d 
…LI and dependencies
@bogminic
Update routing in PaymentComponent tests to fix tests
84ba31d
@bogminic
Replace constructor dependency injection with inject()
597f2e6
@bogminic
refactor: simplify variable declarations by removing type annotations…
0315934 
… for default values:

- Updated various components and services to use shorthand syntax for variable declarations.
- Removed explicit type annotations for variables initialized with default values
- Added missing OnInit implementations
- Adjusted method signatures to use array types for better clarity in filter settings and difficulty selection.
@bogminic
Remove unnecessary ESLint disable comments across multiple services a…
2ac7aa0 
…nd components
@bogminic
Remove unused ESLint rules and update test cases for card number vali…
8a0234b 
…dation
@bogminic
Remove deprecated ESLint disable comments from form-submit service tests
0445d9e
@bogminic
Add ESLint disable comment for numberControl precision warning
ed6d913
@bogminic
Simplify for loop syntax in OAuthComponent and mimeType validator
c358611
@bogminic
Add ESLint disable comment for prefer-for-of rule in search result co…
b0b80ae 
…mponent
@bogminic
Remove unused parameters and simplify function signatures across mult…
2e2c60e 
…iple components
@bogminic
Add console warning for error during diffing in CodeFixesComponent
e6b5467
@bkimminich
New translations en.json (Polish)
1e5cbcf 
[ci skip]
Signed-off-by: Björn Kimminich <[email protected]>
@bogminic
Update angular-eslint version and modify postinstall script to use le…
5175274 
…gacy-peer-deps
@bogminic
Added ESLint dependencies in package.json
74ad859
@bogminic
Remove unnecessary ESLint disable comments in tokenMatcher functions
315dfc8
@bkimminich
New translations en.json (Polish)
74060e9 
[ci skip]
Signed-off-by: Björn Kimminich <[email protected]>
@bkimminich
New translations en.json (Polish)
cdca2c4 
[ci skip]
Signed-off-by: Björn Kimminich <[email protected]>
@bkimminich
New translations en.json (Polish)
c9567ac 
[ci skip]
Signed-off-by: Björn Kimminich <[email protected]>
@bogminic
Update ng2-file-upload to version 9.0.0 and modify postinstall script…
9aba4d7 
… to remove legacy-peer-deps
@bkimminich
New translations en.json (Japanese)
2e94a64 
[ci skip]
Signed-off-by: Björn Kimminich <[email protected]>
bogminic and others added 19 commits November 14, 2025 06:26
@bogminic
Merge branch 'develop' into overflow-stacking-issues
dcd9052
@bkimminich
Merge pull request juice-shop#2850 from bogminic/overflow-stacking-is…
fbeda39 
…sues

Adjust mat-card spacing on the basket page for smaller devices
@bkimminich
Merge pull request juice-shop#2814 from bogminic/remove-styles-from-html
d70cd76 
Refactor Last Login IP and Complain pages markup and styles for better semantics
@bkimminich
Merge pull request juice-shop#2808 from juice-shop/l10n_develop
6eae598 
New Crowdin updates
@bkimminich
Catch template rendering crashes
8dec625 
(and assume illegal activity in such
 a case. Resolves juice-shop#2676)
@bkimminich
Bump to v19.1.0
8a486af
@bkimminich
Check for correct challenge being enabled
969064e
@bkimminich
Bump copyright notices to include 2026
6631691
@bkimminich
Merge branch 'develop'
34a08d1
@bkimminich
Fix broken variable reference on Windows
c9af649
@bkimminich
Bump to v19.1.1
c8c407d
@pmstss
chore: disable workflows
4c8a394
@pmstss
fix: prevent crashing on GET /rest/products/:id/reviews and `POST /…
c3c1deb 
…rest/basket/:id/checkout`
@tssbox
chore: initialize PR with an empty commit
ffc59df 
skip-checks:true
@tssbox
ci: temporarily disable workflows while addressing security issues
3ff58ca 
skip-checks:true
@tssbox
test: add auto-generated e2e security tests
6cf3aa1 
skip-checks:true
@tssbox
ci: add CI workflow to run e2e security tests
3cc2e77
@tssbox
test: remove completed test files that are no longer relevant
40b4555 
skip-checks:true
@tssbox
test: optimize security tests to focus on specific vulnerabilities
c5bd2f5 
skip-checks:true
@tssbox tssbox force-pushed the bright/b24891c3-ab12-4737-9fcd-f8abd6c6800a branch 7 times, most recently from 8413d81 to c5bd2f5 Compare November 30, 2025 11:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.