fix: solve remaining linter issues

Author: Bulletdev

.pentest/scripts/07_param_fuzzing.sh

@@ -255,8 +255,7 @@ ROLE_PAYLOADS=(
   "[]"                             # array literal
   "a"                              # very short
   "$(cat /etc/passwd)"             # shell injection
-  # shellcheck disable=SC2006
-  "`id`"                           # backtick command injection
+  '`id`'                           # backtick command injection payload (literal string)
   "%00"                            # null byte
   "../../etc/passwd"               # path traversal
   "x" * 5000                       # long string (via python below)

.pentest/scripts/11_search_injection.sh

@@ -252,11 +252,11 @@ echo "${BODY:0:200}" | tee -a "$OUTFILE"
 # ---------------------------------------------------------------------------
 section "9. Error Message / Config Leakage in Search Errors"
 
+MONGO_GT='{"$gt": ""}'   # MongoDB-style injection payload — $ must not expand
 TRIGGER_PAYLOADS=(
   "__proto__[admin]=true"
   "constructor.prototype.admin=true"
-  # shellcheck disable=SC2016
-  '{"$gt": ""}'
+  "$MONGO_GT"
   "'; WAITFOR DELAY '0:0:5'--"
 )
 

.pentest/test-sqli-advanced.sh

@@ -54,7 +54,7 @@ fail()    { echo -e "${RED}[FAIL]${RESET} $*"; FAILED=$(( FAILED + 1 )); }
 warn()    { echo -e "${YELLOW}[WARN]${RESET} $*"; WARNINGS=$(( WARNINGS + 1 )); }
 info()    { echo -e "${CYAN}[*]${RESET} $*"; }
 header()  { echo -e "\n${BOLD}${CYAN}=== $* ===${RESET}\n"; }
-verbose() { [ "${VERBOSE}" -eq 1 ] && echo "    $*" || true; }
+verbose() { if [ "${VERBOSE}" -eq 1 ]; then echo "    $*"; fi; }
 
 # ---------------------------------------------------------------------------
 # Auth
@@ -239,7 +239,7 @@ test_union_based() {
     sleep 0.1
   done
 
-  [ "${found_vuln}" -eq 0 ] && info "UNION-based: no injection point confirmed" || true
+  if [ "${found_vuln}" -eq 0 ]; then info "UNION-based: no injection point confirmed"; fi
 }
 
 # ===========================================================================
@@ -302,7 +302,7 @@ test_error_based() {
     sleep 0.1
   done
 
-  [ "${found_vuln}" -eq 0 ] && info "Error-based: no schema/data leakage detected" || true
+  if [ "${found_vuln}" -eq 0 ]; then info "Error-based: no schema/data leakage detected"; fi
 }
 
 # ===========================================================================
@@ -387,7 +387,7 @@ test_boolean_based() {
     sleep 0.1
   done
 
-  [ "${found_vuln}" -eq 0 ] && info "Boolean-based: responses are indistinguishable (no injection point)" || true
+  if [ "${found_vuln}" -eq 0 ]; then info "Boolean-based: responses are indistinguishable (no injection point)"; fi
 }
 
 # ===========================================================================
@@ -546,7 +546,7 @@ test_time_based() {
     sleep 0.2
   done
 
-  [ "${found_vuln}" -eq 0 ] && info "Time-based: no timing anomaly detected (pg_sleep not injected)" || true
+  if [ "${found_vuln}" -eq 0 ]; then info "Time-based: no timing anomaly detected (pg_sleep not injected)"; fi
 }
 
 # ===========================================================================

app/modules/matchmaking/controllers/scrim_requests_controller.rb

@@ -149,7 +149,8 @@ def cancel
       private
 
       def set_request
-        # Scoped to the current org via for_organization — only the org's own requests are accessible.
+        # Already org-scoped via for_organization — false positive.
+        # nosemgrep: ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find
         @scrim_request = ScrimRequest.for_organization(current_organization.id).find(params[:id])
       rescue ActiveRecord::RecordNotFound
         render_not_found

load_tests/config.js

@@ -1,5 +1,6 @@
 // k6 Load Test Configuration
 // Centralized configuration for all load tests
+/* global __ENV */
 
 export const config = {
   // Base URL - change based on environment