fix: solve semgrep warnings

Bulletdev · Bulletdev · commit 75d00b185232 · 2026-02-28T03:12:40.000-03:00
diff --git a/app/controllers/api/v1/admin/players_controller.rb b/app/controllers/api/v1/admin/players_controller.rb
@@ -308,8 +308,10 @@ def require_admin_access
         end
 
         def set_player
-          # Admin finds players across ALL orgs — must bypass OrganizationScoped default_scope
-          @player = Player.unscoped.find(params[:id])
+          # Admin finds players across ALL orgs — must bypass OrganizationScoped default_scope.
+          # Access control is enforced by require_admin_access before_action on every action
+          # that calls set_player. Unscoped is intentional and safe in this admin context.
+          @player = Player.unscoped.find(params[:id]) # nosemgrep: ruby.rails.security.brakeman.check-unscoped-find.check-unscoped-find
         rescue ActiveRecord::RecordNotFound
           render_error(
             message: 'Player not found',
diff --git a/app/mailers/user_mailer.rb b/app/mailers/user_mailer.rb
@@ -4,7 +4,13 @@ class UserMailer < ApplicationMailer
   def password_reset(user, reset_token)
     @user = user
     @reset_token = reset_token
-    @reset_url = "#{ENV.fetch('FRONTEND_URL', 'http://localhost:3000')}/reset-password?token=#{reset_token.token}"
+    frontend_url = ENV.fetch('FRONTEND_URL', 'http://localhost:3000')
+    parsed_uri = URI.parse(frontend_url)
+    unless parsed_uri.is_a?(URI::HTTP)
+      raise ArgumentError, "FRONTEND_URL must use http or https scheme (got: #{parsed_uri.scheme.inspect})"
+    end
+
+    @reset_url = "#{frontend_url}/reset-password?token=#{reset_token.token}"
     @expires_in = ((reset_token.expires_at - Time.current) / 60).to_i # minutes
 
     mail(
diff --git a/app/modules/meta_intelligence/controllers/builds_controller.rb b/app/modules/meta_intelligence/controllers/builds_controller.rb
@@ -123,6 +123,9 @@ def apply_filters(scope)
       end
 
       def build_create_params
+        # nosemgrep: ruby.lang.security.model-attr-accessible.model-attr-accessible
+        # :role is the LoL champion role (adc/jungle/mid/etc.), not a user authorization role.
+        # SavedBuild has no admin/banned/account_id fields — mass assignment risk does not apply.
         params.require(:build).permit(
           :champion, :role, :patch_version, :title, :notes, :is_public,
           :primary_rune_tree, :secondary_rune_tree,
diff --git a/app/views/user_mailer/password_reset.html.erb b/app/views/user_mailer/password_reset.html.erb
@@ -7,6 +7,8 @@
 <p>Click the button below to reset your password:</p>
 
 <p style="text-align: center;">
+  <%# nosemgrep: ruby.rails.security.audit.xss.templates.var-in-href.var-in-href
+      @reset_url is validated in UserMailer#password_reset to be http/https only (URI::HTTP check) %>
   <a href="<%= @reset_url %>" class="button">Reset Password</a>
 </p>
 
diff --git a/config/environments/production.rb b/config/environments/production.rb
@@ -37,7 +37,7 @@
   # Setting force_ssl = true would cause redirect loops.
   #
   # Security: We trust X-Forwarded-Proto header from Traefik to detect HTTPS
-  config.force_ssl = false
+  config.force_ssl = false # nosemgrep: ruby.lang.security.force-ssl-false.force-ssl-false
   config.ssl_options = { redirect: { exclude: ->(request) { request.path.start_with?('/health') } } }
 
   # Trust all proxies (Traefik, Cloudflare)

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@`
`37`	`37`	`# Setting force_ssl = true would cause redirect loops.`
`38`	`38`	`#`
`39`	`39`	`# Security: We trust X-Forwarded-Proto header from Traefik to detect HTTPS`
`40`		`- config.force_ssl = false`
	`40`	`+ config.force_ssl = false # nosemgrep: ruby.lang.security.force-ssl-false.force-ssl-false`
`41`	`41`	`config.ssl_options = { redirect: { exclude: ->(request) { request.path.start_with?('/health') } } }`
`42`	`42`
`43`	`43`	`# Trust all proxies (Traefik, Cloudflare)`