chore: improve sec. test coverage

Author: Bulletdev

.pentest/scripts/10_websocket_probe.sh

@@ -151,7 +151,7 @@ EDGE_CASES=(
   "array:${WS_URL}?token[]=hack"
   "zero:${WS_URL}?token=0"
   "true:${WS_URL}?token=true"
-  "sqlinjection:${WS_URL}?token='"'"' OR 1=1--"
+  "sqlinjection:${WS_URL}?token=' OR 1=1--"
 )
 
 for entry in "${EDGE_CASES[@]}"; do

config/brakeman.ignore

@@ -12,6 +12,22 @@
       "fingerprint": "7bdf978768b5058d8c79ec541e68cb8643bbf19ab5ab52d60e6bd420a91bc416",
       "note": "False positive — safe_ids values come from Meilisearch hit IDs (internal database PKs) and are individually escaped via ActiveRecord::Base.connection.quote() before interpolation. User search query is sent only to Meilisearch, never interpolated into SQL. Reviewed 2026-02-28."
     },
+    {
+      "fingerprint": "82553a8da70acefb77b22bab7fb95616b808a9604a23dff455508e0ad77e3107",
+      "note": "False positive — the SQL interpolation only inserts PostgreSQL numbered bind-parameter placeholders ($1, $2, ...). The actual type_names values are passed separately as exec_query bind parameters. No user input reaches this code path. Reviewed 2026-04-05."
+    },
+    {
+      "fingerprint": "8273a221da2916071e72130e8e4a184b37aa96df641daff5c11d7069740e2c81",
+      "note": "False positive — :role is a League of Legends in-game position (top/jungle/mid/adc/support), NOT a user authorization role. ScoutingTarget model has no admin/privilege-escalation fields. Reviewed 2026-04-05."
+    },
+    {
+      "fingerprint": "88173572797556fd8d8d2da622fdb463673c0793a9ec10126b1803fc39f04f06",
+      "note": "False positive — :role is a League of Legends in-game position (top/jungle/mid/adc/support), NOT a user authorization role. ScoutingTarget model has no admin/privilege-escalation fields. Reviewed 2026-04-05."
+    },
+    {
+      "fingerprint": "8bf697cde545723f2f3d339a8fc87f1cbb80dccb7cc50ea42243ebde2c0d7883",
+      "note": "False positive — safe_ids values come from Meilisearch hit IDs (internal database PKs) and are individually escaped via ActiveRecord::Base.connection.quote() before interpolation. User search query is sent only to Meilisearch, never interpolated into SQL. Reviewed 2026-04-05."
+    },
     {
       "fingerprint": "a53e36aea1309fb0af3b08b9d5403838087ed98264a2a158a98adde5f6d496d3",
       "note": "False positive — :role is a League of Legends champion role (adc/jungle/mid/support/top), NOT a user authorization role. SavedBuild model has no admin/banned/account_id or privilege-escalation fields. Reviewed 2026-02-28."

security_tests/scripts/test-multi-tenancy-isolation.sh

@@ -53,11 +53,11 @@ ORG1_RESPONSE=$(curl -s -X POST "$API_URL/api/v1/auth/register" \
     "user": {
       "email": "org1-'$(date +%s)'@test.com",
       "password": "Test123!@#",
-      "name": "Org1 User"
+      "full_name": "Org1 User"
     },
     "organization": {
       "name": "Test Org 1",
-      "slug": "test-org-1-'$(date +%s)'"
+      "region": "BR"
     }
   }')
 
@@ -73,11 +73,11 @@ ORG2_RESPONSE=$(curl -s -X POST "$API_URL/api/v1/auth/register" \
     "user": {
       "email": "org2-'$(date +%s)'@test.com",
       "password": "Test123!@#",
-      "name": "Org2 User"
+      "full_name": "Org2 User"
     },
     "organization": {
       "name": "Test Org 2",
-      "slug": "test-org-2-'$(date +%s)'"
+      "region": "BR"
     }
   }')
 

security_tests/scripts/test-ssrf-protection.sh

@@ -39,25 +39,36 @@ test_result() {
   fi
 }
 
-# Create test user and get token
+# Authenticate — try login with fixed test user first, register only if needed
+FIXED_EMAIL="${TEST_EMAIL:-sectest@prostaff-security.invalid}"
+FIXED_PASSWORD="${TEST_PASSWORD:-Test123!@#}"
+
 echo "Setting up test user..."
-AUTH_RESPONSE=$(curl -s -X POST "$API_URL/api/v1/auth/register" \
+AUTH_RESPONSE=$(curl -s -X POST "$API_URL/api/v1/auth/login" \
   -H "Content-Type: application/json" \
-  -d '{
-    "user": {
-      "email": "ssrf-test-'$(date +%s)'@test.com",
-      "password": "Test123!@#",
-      "name": "SSRF Test User"
-    },
-    "organization": {
-      "name": "SSRF Test Org",
-      "slug": "ssrf-test-'$(date +%s)'"
-    }
-  }')
-
-TOKEN=$(echo "$AUTH_RESPONSE" | jq -r '.data.access_token')
-
-if [ "$TOKEN" = "null" ]; then
+  -d "{\"email\":\"$FIXED_EMAIL\",\"password\":\"$FIXED_PASSWORD\"}")
+
+TOKEN=$(echo "$AUTH_RESPONSE" | jq -r '.data.access_token // empty')
+
+if [ -z "$TOKEN" ]; then
+  # User does not exist yet — register once
+  AUTH_RESPONSE=$(curl -s -X POST "$API_URL/api/v1/auth/register" \
+    -H "Content-Type: application/json" \
+    -d "{
+      \"user\": {
+        \"email\": \"$FIXED_EMAIL\",
+        \"password\": \"$FIXED_PASSWORD\",
+        \"full_name\": \"SSRF Test User\"
+      },
+      \"organization\": {
+        \"name\": \"SSRF Test Org\",
+        \"region\": \"BR\"
+      }
+    }")
+  TOKEN=$(echo "$AUTH_RESPONSE" | jq -r '.data.access_token // empty')
+fi
+
+if [ -z "$TOKEN" ]; then
   echo "FATAL: Failed to authenticate"
   echo "Response: $AUTH_RESPONSE"
   exit 1