fix: solve remaining linter issues

Bulletdev · Bulletdev · commit 75d08cdd31a0 · 2026-04-05T16:39:40.000-03:00
diff --git a/.pentest/front/check-security-headers.sh b/.pentest/front/check-security-headers.sh
@@ -7,7 +7,8 @@ TARGET="${1:-https://prostaff.gg}"
 
 GREEN='\033[0;32m'
 RED='\033[0;31m'
-YELLOW='\033[1;33m' # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+YELLOW='\033[1;33m'
 CYAN='\033[0;36m'
 NC='\033[0m'
 
diff --git a/.pentest/front/check-sri.sh b/.pentest/front/check-sri.sh
@@ -194,7 +194,8 @@ while IFS= read -r JS_FILE; do
   # Verifica comentario sourceMappingURL no fim do JS
   JS_TAIL=$(curl -sL "${JS_URL}" --max-time 10 2>/dev/null | tail -c 200)
   if echo "$JS_TAIL" | grep -q "sourceMappingURL"; then
-    MAP_FILE=$(echo "$JS_TAIL" | grep -oP "(?<=sourceMappingURL=)[^\s]+") # shellcheck disable=SC2034
+    # shellcheck disable=SC2034
+    MAP_FILE=$(echo "$JS_TAIL" | grep -oP "(?<=sourceMappingURL=)[^\s]+")
     # Tenta acessar o .map
     MAP_URL="${JS_URL%.*}.map"
     MAP_CODE=$(curl -sI "${MAP_URL}" --max-time 5 2>/dev/null | head -1 | grep -oP '[0-9]{3}' | head -1)
diff --git a/.pentest/scripts/02_auth_fingerprint.sh b/.pentest/scripts/02_auth_fingerprint.sh
@@ -20,7 +20,8 @@ set -euo pipefail
 # ---------------------------------------------------------------------------
 # Configuration
 # ---------------------------------------------------------------------------
-BASE_URL="http://localhost:3333" # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+BASE_URL="http://localhost:3333"
 API="http://localhost:3333/api/v1"
 TEST_EMAIL="test@prostaff.gg"
 TEST_PASSWORD="Test123!@#"
@@ -162,12 +163,15 @@ print(f'{avg:.4f}')
 
   echo "  Average: ${avg}s"
   # Store for comparison
-  TIMING_RESULT_LABEL="${label}" # shellcheck disable=SC2034
+  # shellcheck disable=SC2034
+  TIMING_RESULT_LABEL="${label}"
   TIMING_RESULT_AVG="${avg}"
 }
 
-AUTH_LAST_CODE="" # shellcheck disable=SC2034
-AUTH_LAST_TIME="" # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+AUTH_LAST_CODE=""
+# shellcheck disable=SC2034
+AUTH_LAST_TIME=""
 VALID_TOKEN=""
 
 # ===========================================================================
@@ -422,9 +426,12 @@ info "This test collects response times to detect whether the server processes"
 info "valid vs invalid emails differently (constant-time comparison check)."
 echo ""
 
-T1_TIMES=() # shellcheck disable=SC2034
-T2_TIMES=() # shellcheck disable=SC2034
-T3_TIMES=() # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+T1_TIMES=()
+# shellcheck disable=SC2034
+T2_TIMES=()
+# shellcheck disable=SC2034
+T3_TIMES=()
 
 collect_timing "Valid email, wrong password" "${TEST_EMAIL}" "${WRONG_PASSWORD}" "${TIMING_SAMPLES}"
 T1_AVG="${TIMING_RESULT_AVG}"
diff --git a/.pentest/scripts/03_jwt_attacks.sh b/.pentest/scripts/03_jwt_attacks.sh
@@ -24,7 +24,8 @@ set -euo pipefail
 # ---------------------------------------------------------------------------
 # Configuration
 # ---------------------------------------------------------------------------
-BASE_URL="http://localhost:3333" # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+BASE_URL="http://localhost:3333"
 API="http://localhost:3333/api/v1"
 TEST_EMAIL="test@prostaff.gg"
 TEST_PASSWORD="Test123!@#"
@@ -34,7 +35,8 @@ OUTPUT_FILE="${SNAPSHOT_DIR}/jwt_attacks_${TIMESTAMP}.txt"
 
 # Target endpoint for token testing (requires auth)
 TARGET="${API}/dashboard"
-TARGET_ALT="${API}/players" # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+TARGET_ALT="${API}/players"
 
 # ---------------------------------------------------------------------------
 # Colors
diff --git a/.pentest/scripts/04_org_isolation.sh b/.pentest/scripts/04_org_isolation.sh
@@ -30,7 +30,8 @@ set -euo pipefail
 # ---------------------------------------------------------------------------
 # Configuration
 # ---------------------------------------------------------------------------
-BASE_URL="http://localhost:3333" # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+BASE_URL="http://localhost:3333"
 API="http://localhost:3333/api/v1"
 TEST_EMAIL="test@prostaff.gg"
 TEST_PASSWORD="Test123!@#"
diff --git a/.pentest/scripts/05_rbac_probe.sh b/.pentest/scripts/05_rbac_probe.sh
@@ -26,7 +26,8 @@ set -euo pipefail
 # ---------------------------------------------------------------------------
 # Configuration
 # ---------------------------------------------------------------------------
-BASE_URL="http://localhost:3333" # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+BASE_URL="http://localhost:3333"
 API="http://localhost:3333/api/v1"
 TEST_EMAIL="test@prostaff.gg"
 TEST_PASSWORD="Test123!@#"
diff --git a/.pentest/scripts/06_rate_limit_probe.sh b/.pentest/scripts/06_rate_limit_probe.sh
@@ -29,7 +29,8 @@ set -euo pipefail
 # ---------------------------------------------------------------------------
 # Configuration
 # ---------------------------------------------------------------------------
-BASE_URL="http://localhost:3333" # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+BASE_URL="http://localhost:3333"
 API="http://localhost:3333/api/v1"
 TEST_EMAIL="test@prostaff.gg"
 TEST_PASSWORD="Test123!@#"
diff --git a/.pentest/scripts/07_param_fuzzing.sh b/.pentest/scripts/07_param_fuzzing.sh
@@ -30,7 +30,8 @@ set -euo pipefail
 # ---------------------------------------------------------------------------
 # Configuration
 # ---------------------------------------------------------------------------
-BASE_URL="http://localhost:3333" # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+BASE_URL="http://localhost:3333"
 API="http://localhost:3333/api/v1"
 TEST_EMAIL="test@prostaff.gg"
 TEST_PASSWORD="Test123!@#"
diff --git a/.pentest/scripts/08_ssrf_probe.sh b/.pentest/scripts/08_ssrf_probe.sh
@@ -35,7 +35,8 @@ set -euo pipefail
 # ---------------------------------------------------------------------------
 # Configuration
 # ---------------------------------------------------------------------------
-BASE_URL="http://localhost:3333" # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+BASE_URL="http://localhost:3333"
 API="http://localhost:3333/api/v1"
 TEST_EMAIL="test@prostaff.gg"
 TEST_PASSWORD="Test123!@#"
@@ -416,7 +417,8 @@ info "the server is making outbound connections (blind SSRF)."
 echo ""
 
 # External host (should timeout or respond normally)
-EXTERNAL_HOST="https://httpbin.org/delay/0" # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+EXTERNAL_HOST="https://httpbin.org/delay/0"
 # Non-routable internal host (should timeout or fail fast)
 INTERNAL_HOST="http://10.255.255.1/"
 # Likely closed port on localhost
diff --git a/.pentest/scripts/09_export_injection.sh b/.pentest/scripts/09_export_injection.sh
@@ -3,7 +3,8 @@
 # ProStaff API pentest lab
 set -e
 
-BASE_URL="http://localhost:3333" # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+BASE_URL="http://localhost:3333"
 API="http://localhost:3333/api/v1"
 TIMESTAMP=$(date -u +%Y%m%d_%H%M%S)
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
diff --git a/.pentest/scripts/11_search_injection.sh b/.pentest/scripts/11_search_injection.sh
@@ -3,7 +3,8 @@
 # ProStaff API pentest lab
 set -e
 
-BASE_URL="http://localhost:3333" # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+BASE_URL="http://localhost:3333"
 API="http://localhost:3333/api/v1"
 TIMESTAMP=$(date -u +%Y%m%d_%H%M%S)
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
diff --git a/.pentest/scripts/14_httpx_recon.sh b/.pentest/scripts/14_httpx_recon.sh
@@ -226,7 +226,8 @@ for origin in "${CORS_ORIGINS[@]}"; do
 
   ACAO=$(echo "$CORS_RESP" | grep -i "Access-Control-Allow-Origin:" | tr -d '\r' || true)
   ACAC=$(echo "$CORS_RESP" | grep -i "Access-Control-Allow-Credentials:" | tr -d '\r' || true)
-  ACAM=$(echo "$CORS_RESP" | grep -i "Access-Control-Allow-Methods:" | tr -d '\r' || true) # shellcheck disable=SC2034
+  # shellcheck disable=SC2034
+  ACAM=$(echo "$CORS_RESP" | grep -i "Access-Control-Allow-Methods:" | tr -d '\r' || true)
   STATUS=$(echo "$CORS_RESP" | grep -o 'HTTP/[0-9.]* [0-9]*' | tail -1 | awk '{print $2}' || true)
 
   log "  Origin: $origin"
diff --git a/.pentest/scripts/15_full_audit.sh b/.pentest/scripts/15_full_audit.sh
@@ -9,7 +9,8 @@
 set -e
 
 BASE_URL="http://localhost:3333"
-API="http://localhost:3333/api/v1" # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+API="http://localhost:3333/api/v1"
 TIMESTAMP=$(date -u +%Y%m%d_%H%M%S)
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 OUT_DIR="$SCRIPT_DIR/../snapshots"
@@ -102,7 +103,8 @@ RUN_COUNT=0
 SKIP_COUNT=0
 FAIL_COUNT=0
 PASS_COUNT=0
-FINDING_COUNT=0 # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+FINDING_COUNT=0
 
 # ---------------------------------------------------------------------------
 # Run scripts
diff --git a/.pentest/scripts/21_activestorage_dos_cve_2026_33658.sh b/.pentest/scripts/21_activestorage_dos_cve_2026_33658.sh
@@ -384,7 +384,8 @@ if [ -f "${STORAGE_CONFIG}" ]; then
   echo "--- config/storage.yml (first 20 lines) ---"
   head -20 "${STORAGE_CONFIG}" || true
   echo "---"
-  AS_ROUTE_CHECK=true # shellcheck disable=SC2034
+  # shellcheck disable=SC2034
+  AS_ROUTE_CHECK=true
 else
   ok "config/storage.yml not found — Active Storage likely not in use"
 fi
diff --git a/.pentest/test-sql-injection-quick.sh b/.pentest/test-sql-injection-quick.sh
@@ -159,7 +159,8 @@ else
 
     if has_sql_error "${RESP_BODY}"; then
       fail "${label} -> HTTP ${HTTP_CODE} [SQL ERROR LEAKED]"
-    elif echo "${RESP_BODY}" | grep -qiE '(\$2[aby]\$|password_digest|bcrypt)'; then # shellcheck disable=SC2016
+    # shellcheck disable=SC2016
+    elif echo "${RESP_BODY}" | grep -qiE '(\$2[aby]\$|password_digest|bcrypt)'; then
       fail "${label} -> HTTP ${HTTP_CODE} [CREDENTIAL DATA IN RESPONSE]"
     elif [ "${HTTP_CODE}" = "500" ]; then
       fail "${label} -> HTTP 500"
diff --git a/.pentest/test-sqli-advanced.sh b/.pentest/test-sqli-advanced.sh
@@ -132,8 +132,9 @@ has_disclosure() {
 # ---------------------------------------------------------------------------
 has_credential_leak() {
   local body="$1"
+  # shellcheck disable=SC2016
   echo "${body}" | grep -qiE \
-    '([a-z0-9._%+\-]+@[a-z0-9.\-]+\.[a-z]{2,}.*password|bcrypt|\$2[aby]\$[0-9]{2}\$)' # shellcheck disable=SC2016
+    '([a-z0-9._%+\-]+@[a-z0-9.\-]+\.[a-z]{2,}.*password|bcrypt|\$2[aby]\$[0-9]{2}\$)'
 }
 
 # ===========================================================================
@@ -531,7 +532,8 @@ test_time_based() {
 
     local label="${payload:0:60}"
     local elapsed_s
-    elapsed_s=$(python3 -c "print(f'{${elapsed}/1000:.2f}')" 2>/dev/null || echo "${elapsed}ms") # shellcheck disable=SC2034
+    # shellcheck disable=SC2034
+    elapsed_s=$(python3 -c "print(f'{${elapsed}/1000:.2f}')" 2>/dev/null || echo "${elapsed}ms")
 
     if [ "${elapsed}" -ge $(( sleep_secs * 1000 - 200 )) ]; then
       fail "${label} -> HTTP ${code} ELAPSED=${elapsed}ms [TIME-BASED INJECTION CONFIRMED]"
diff --git a/.pentest/tools/install.sh b/.pentest/tools/install.sh
@@ -8,8 +8,10 @@ TOOLS_DIR="$SCRIPT_DIR"
 BIN_DIR="$HOME/.local/bin"
 
 # Tool versions (update as needed)
-NUCLEI_VERSION="latest" # shellcheck disable=SC2034
-HTTPX_VERSION="latest" # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+NUCLEI_VERSION="latest"
+# shellcheck disable=SC2034
+HTTPX_VERSION="latest"
 WEBSOCAT_VERSION="v1.13.0"
 WEBSOCAT_BINARY="websocat.x86_64-unknown-linux-musl"
 
diff --git a/Dockerfile.production b/Dockerfile.production
@@ -6,6 +6,7 @@
 FROM ruby:3.4.5-slim AS base
 
 # Instala dependências essenciais (incluindo curl para healthcheck)
+# hadolint ignore=DL3008
 RUN apt-get update -qq && \
     apt-get install --no-install-recommends -y \
       curl \
@@ -28,6 +29,7 @@ WORKDIR /app
 ############################
 FROM base AS build
 
+# hadolint ignore=DL3008
 RUN apt-get update -qq && \
     apt-get install --no-install-recommends -y \
       build-essential \
diff --git a/docs-page/Dockerfile b/docs-page/Dockerfile
@@ -7,6 +7,8 @@ COPY logo.png   /usr/share/nginx/html/logo.png
 # Copy nginx configuration
 COPY nginx.conf /etc/nginx/conf.d/default.conf
 
+USER nginx
+
 EXPOSE 80
 
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
diff --git a/security_tests/run-security-scans.sh b/security_tests/run-security-scans.sh
@@ -8,7 +8,8 @@ set -e
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 RED='\033[0;31m'
-BLUE='\033[0;34m' # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+BLUE='\033[0;34m'
 NC='\033[0m'
 
 # Determine environment
diff --git a/security_tests/scripts/test-multi-tenancy-isolation.sh b/security_tests/scripts/test-multi-tenancy-isolation.sh
@@ -17,7 +17,8 @@ mkdir -p "$REPORT_DIR"
 # Colors
 GREEN='\033[0;32m'
 RED='\033[0;31m'
-YELLOW='\033[1;33m' # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+YELLOW='\033[1;33m'
 NC='\033[0m'
 
 PASSED=0
@@ -61,7 +62,8 @@ ORG1_RESPONSE=$(curl -s -X POST "$API_URL/api/v1/auth/register" \
   }')
 
 ORG1_TOKEN=$(echo "$ORG1_RESPONSE" | jq -r '.data.access_token')
-ORG1_USER_ID=$(echo "$ORG1_RESPONSE" | jq -r '.data.user.id') # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+ORG1_USER_ID=$(echo "$ORG1_RESPONSE" | jq -r '.data.user.id')
 ORG1_ORG_ID=$(echo "$ORG1_RESPONSE" | jq -r '.data.organization.id')
 
 # Create Org 2
@@ -80,7 +82,8 @@ ORG2_RESPONSE=$(curl -s -X POST "$API_URL/api/v1/auth/register" \
   }')
 
 ORG2_TOKEN=$(echo "$ORG2_RESPONSE" | jq -r '.data.access_token')
-ORG2_USER_ID=$(echo "$ORG2_RESPONSE" | jq -r '.data.user.id') # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+ORG2_USER_ID=$(echo "$ORG2_RESPONSE" | jq -r '.data.user.id')
 ORG2_ORG_ID=$(echo "$ORG2_RESPONSE" | jq -r '.data.organization.id')
 
 if [ "$ORG1_TOKEN" = "null" ] || [ "$ORG2_TOKEN" = "null" ]; then
@@ -148,7 +151,8 @@ ORG1_ACCESS_ORG2=$(curl -s -w "\n%{http_code}" -X GET "$API_URL/api/v1/players/$
   -H "Authorization: Bearer $ORG1_TOKEN")
 
 HTTP_CODE=$(echo "$ORG1_ACCESS_ORG2" | tail -n1)
-RESPONSE_BODY=$(echo "$ORG1_ACCESS_ORG2" | head -n-1) # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+RESPONSE_BODY=$(echo "$ORG1_ACCESS_ORG2" | head -n-1)
 
 if [ "$HTTP_CODE" = "404" ] || [ "$HTTP_CODE" = "403" ]; then
   test_result "Org1 cannot access Org2 player by ID" "PASS" ""
diff --git a/security_tests/scripts/test-timing-oracle.sh b/security_tests/scripts/test-timing-oracle.sh
@@ -98,7 +98,7 @@ mean_ms() {
   local n="$4"
 
   local sum=0
-  local i
+  local _
   for _ in $(seq 1 "$n"); do
     local t
     t=$(measure_ms "$method" "$url" "$body")
@@ -164,7 +164,8 @@ echo "    Collecting ${SAMPLES} samples each..."
 
 REGISTER_URL="$API_URL/api/v1/auth/register"
 NEW_EMAIL_1="timing-oracle-new-${TIMESTAMP}a@prostaff-test.invalid"
-NEW_EMAIL_2="timing-oracle-new-${TIMESTAMP}b@prostaff-test.invalid" # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+NEW_EMAIL_2="timing-oracle-new-${TIMESTAMP}b@prostaff-test.invalid"
 
 REG_EXISTING_PAYLOAD="{\"organization_name\":\"TimingTest\",\"email\":\"$KNOWN_EMAIL\",\"password\":\"$WRONG_PASS\",\"name\":\"Timing Test\"}"
 REG_NEW_PAYLOAD="{\"organization_name\":\"TimingTest\",\"email\":\"$NEW_EMAIL_1\",\"password\":\"$WRONG_PASS\",\"name\":\"Timing Test\"}"
diff --git a/security_tests/scripts/zap-api-scan.sh b/security_tests/scripts/zap-api-scan.sh
@@ -15,7 +15,8 @@ REPORT_DIR="$PROJECT_ROOT/security_tests/reports/zap"
 TIMESTAMP=$(date +%Y%m%d_%H%M%S)
 
 GREEN='\033[0;32m'
-YELLOW='\033[1;33m' # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+YELLOW='\033[1;33m'
 NC='\033[0m'
 
 echo -e "${GREEN}🔍 Starting ZAP API Scan${NC}"
diff --git a/security_tests/scripts/zap-baseline-scan.sh b/security_tests/scripts/zap-baseline-scan.sh
@@ -14,7 +14,8 @@ REPORT_DIR="$PROJECT_ROOT/security_tests/reports/zap"
 TIMESTAMP=$(date +%Y%m%d_%H%M%S)
 
 GREEN='\033[0;32m'
-YELLOW='\033[1;33m' # shellcheck disable=SC2034
+# shellcheck disable=SC2034
+YELLOW='\033[1;33m'
 NC='\033[0m'
 
 echo -e "${GREEN}🔍 Starting ZAP Baseline Scan${NC}"
diff --git a/status-page/Dockerfile b/status-page/Dockerfile
@@ -7,6 +7,8 @@ COPY logo.png   /usr/share/nginx/html/logo.png
 # Copy nginx configuration
 COPY nginx.conf /etc/nginx/conf.d/default.conf
 
+USER nginx
+
 EXPOSE 80
 
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
