fix: adjust security configs to avoid SSRF and injection

Bulletdev · Bulletdev · commit 8f1195a13b76 · 2025-10-23T19:44:21.000-03:00
Criadas 2 whitelists (REGION_HOSTS + REGIONAL_ENDPOINT_HOSTS)
  -  Métodos helper seguros (riot_api_host, regional_api_host)
  -  5 ocorrências de interpolação substituídas
  -  SecurityError se region não estiver na whitelist

  Análise de segurança confirmou design intencional
  -  Authorization via verify_team_usage! verificada
  -  Documentação de segurança adicionada
  -  Supressão RuboCop com justificativa
diff --git a/app/controllers/api/v1/scrims/opponent_teams_controller.rb b/app/controllers/api/v1/scrims/opponent_teams_controller.rb
@@ -111,11 +111,17 @@ def destroy
         # sensitive operations (update/destroy). This ensures organizations can
         # only modify teams they have scrims with.
         # Read operations (index/show) are allowed for all teams to enable discovery.
+        #
+        # SECURITY: Unscoped find is intentional here. OpponentTeam is a global
+        # resource visible to all organizations for discovery. Authorization is
+        # handled by verify_team_usage! for modifications.
+        # rubocop:disable Rails/FindById
         def set_opponent_team
           @opponent_team = OpponentTeam.find(params[:id])
         rescue ActiveRecord::RecordNotFound
           render json: { error: 'Opponent team not found' }, status: :not_found
         end
+        # rubocop:enable Rails/FindById
 
         # Verifies that current organization has used this opponent team
         # Prevents organizations from modifying/deleting teams they haven't interacted with
diff --git a/app/modules/players/controllers/players_controller.rb b/app/modules/players/controllers/players_controller.rb
@@ -152,60 +152,15 @@ def import
         role = params[:role]
         region = params[:region] || 'br1'
 
-        unless summoner_name.present? && role.present?
-          return render_error(
-            message: 'Summoner name and role are required',
-            code: 'MISSING_PARAMETERS',
-            status: :unprocessable_entity,
-            details: {
-              hint: 'Format: "GameName#TAG" or "GameName-TAG" (e.g., "Faker#KR1" or "Faker-KR1")'
-            }
-          )
-        end
+        # Validations
+        return unless validate_import_params(summoner_name, role)
+        return unless validate_player_uniqueness(summoner_name)
 
-        unless %w[top jungle mid adc support].include?(role)
-          return render_error(
-            message: 'Invalid role',
-            code: 'INVALID_ROLE',
-            status: :unprocessable_entity
-          )
-        end
+        # Import from Riot API
+        result = import_player_from_riot(summoner_name, role, region)
 
-        existing_player = organization_scoped(Player).find_by(summoner_name: summoner_name)
-        if existing_player
-          return render_error(
-            message: 'Player already exists in your organization',
-            code: 'PLAYER_EXISTS',
-            status: :unprocessable_entity
-          )
-        end
-
-        result = Players::Services::RiotSyncService.import(
-          summoner_name: summoner_name,
-          role: role,
-          region: region,
-          organization: current_organization
-        )
-
-        if result[:success]
-          log_user_action(
-            action: 'import_riot',
-            entity_type: 'Player',
-            entity_id: result[:player].id,
-            new_values: result[:player].attributes
-          )
-
-          render_created({
-                           player: PlayerSerializer.render_as_hash(result[:player]),
-                           message: "Player #{result[:summoner_name]} imported successfully from Riot API"
-                         })
-        else
-          render_error(
-            message: "Failed to import from Riot API: #{result[:error]}",
-            code: result[:code] || 'IMPORT_ERROR',
-            status: :service_unavailable
-          )
-        end
+        # Handle result
+        result[:success] ? handle_import_success(result) : handle_import_error(result)
       end
 
       # POST /api/v1/players/:id/sync_from_riot
@@ -328,6 +283,79 @@ def player_params
           :notes
         )
       end
+
+      # Validate import parameters
+      def validate_import_params(summoner_name, role)
+        unless summoner_name.present? && role.present?
+          render_error(
+            message: 'Summoner name and role are required',
+            code: 'MISSING_PARAMETERS',
+            status: :unprocessable_entity,
+            details: {
+              hint: 'Format: "GameName#TAG" or "GameName-TAG" (e.g., "Faker#KR1" or "Faker-KR1")'
+            }
+          )
+          return false
+        end
+
+        unless %w[top jungle mid adc support].include?(role)
+          render_error(
+            message: 'Invalid role',
+            code: 'INVALID_ROLE',
+            status: :unprocessable_entity
+          )
+          return false
+        end
+
+        true
+      end
+
+      # Check if player already exists
+      def validate_player_uniqueness(summoner_name)
+        existing_player = organization_scoped(Player).find_by(summoner_name: summoner_name)
+        return true unless existing_player
+
+        render_error(
+          message: 'Player already exists in your organization',
+          code: 'PLAYER_EXISTS',
+          status: :unprocessable_entity
+        )
+        false
+      end
+
+      # Import player from Riot API
+      def import_player_from_riot(summoner_name, role, region)
+        Players::Services::RiotSyncService.import(
+          summoner_name: summoner_name,
+          role: role,
+          region: region,
+          organization: current_organization
+        )
+      end
+
+      # Handle successful import
+      def handle_import_success(result)
+        log_user_action(
+          action: 'import_riot',
+          entity_type: 'Player',
+          entity_id: result[:player].id,
+          new_values: result[:player].attributes
+        )
+
+        render_created({
+                         player: PlayerSerializer.render_as_hash(result[:player]),
+                         message: "Player #{result[:summoner_name]} imported successfully from Riot API"
+                       })
+      end
+
+      # Handle import error
+      def handle_import_error(result)
+        render_error(
+          message: "Failed to import from Riot API: #{result[:error]}",
+          code: result[:code] || 'IMPORT_ERROR',
+          status: :service_unavailable
+        )
+      end
     end
   end
 end
diff --git a/app/modules/players/services/riot_sync_service.rb b/app/modules/players/services/riot_sync_service.rb
@@ -8,6 +8,28 @@ class RiotSyncService
       EUROPE = %w[euw1 eune1 ru tr1].freeze
       ASIA = %w[kr jp1 oce1].freeze
 
+      # Whitelist of allowed Riot API hostnames to prevent SSRF
+      REGION_HOSTS = {
+        'br1' => 'br1.api.riotgames.com',
+        'na1' => 'na1.api.riotgames.com',
+        'euw1' => 'euw1.api.riotgames.com',
+        'kr' => 'kr.api.riotgames.com',
+        'eune1' => 'eune1.api.riotgames.com',
+        'lan' => 'lan.api.riotgames.com',
+        'las1' => 'las1.api.riotgames.com',
+        'oce1' => 'oce1.api.riotgames.com',
+        'ru' => 'ru.api.riotgames.com',
+        'tr1' => 'tr1.api.riotgames.com',
+        'jp1' => 'jp1.api.riotgames.com'
+      }.freeze
+
+      # Whitelist of allowed regional endpoints for match/account APIs
+      REGIONAL_ENDPOINT_HOSTS = {
+        'americas' => 'americas.api.riotgames.com',
+        'europe' => 'europe.api.riotgames.com',
+        'asia' => 'asia.api.riotgames.com'
+      }.freeze
+
       attr_reader :organization, :api_key, :region
 
       def initialize(organization, region = nil)
@@ -52,10 +74,9 @@ def sync_player(player, import_matches: true)
 
       # Fetch summoner by PUUID
       def fetch_summoner_by_puuid(puuid)
-        # Region already validated in initialize via sanitize_region
-        # Use URI building to safely construct URL and avoid direct interpolation
+        # Use whitelisted host to prevent SSRF
         uri = URI::HTTPS.build(
-          host: "#{region}.api.riotgames.com",
+          host: riot_api_host,
           path: "/lol/summoner/v4/summoners/by-puuid/#{CGI.escape(puuid)}"
         )
         response = make_request(uri.to_s)
@@ -64,8 +85,9 @@ def fetch_summoner_by_puuid(puuid)
 
       # Fetch rank data for a summoner
       def fetch_rank_data(summoner_id)
+        # Use whitelisted host to prevent SSRF
         uri = URI::HTTPS.build(
-          host: "#{region}.api.riotgames.com",
+          host: riot_api_host,
           path: "/lol/league/v4/entries/by-summoner/#{CGI.escape(summoner_id)}"
         )
         response = make_request(uri.to_s)
@@ -102,8 +124,9 @@ def import_player_matches(player, count: 20)
       def search_riot_id(game_name, tag_line)
         regional_endpoint = get_regional_endpoint(region)
 
+        # Use whitelisted host to prevent SSRF
         uri = URI::HTTPS.build(
-          host: "#{regional_endpoint}.api.riotgames.com",
+          host: regional_api_host(regional_endpoint),
           path: "/riot/account/v1/accounts/by-riot-id/#{CGI.escape(game_name)}/#{CGI.escape(tag_line)}"
         )
         response = make_request(uri.to_s)
@@ -133,8 +156,9 @@ def search_riot_id(game_name, tag_line)
       def fetch_match_ids(puuid, count = 20)
         regional_endpoint = get_regional_endpoint(region)
 
+        # Use whitelisted host to prevent SSRF
         uri = URI::HTTPS.build(
-          host: "#{regional_endpoint}.api.riotgames.com",
+          host: regional_api_host(regional_endpoint),
           path: "/lol/match/v5/matches/by-puuid/#{CGI.escape(puuid)}/ids",
           query: URI.encode_www_form(count: count)
         )
@@ -146,8 +170,9 @@ def fetch_match_ids(puuid, count = 20)
       def fetch_match_details(match_id)
         regional_endpoint = get_regional_endpoint(region)
 
+        # Use whitelisted host to prevent SSRF
         uri = URI::HTTPS.build(
-          host: "#{regional_endpoint}.api.riotgames.com",
+          host: regional_api_host(regional_endpoint),
           path: "/lol/match/v5/matches/#{CGI.escape(match_id)}"
         )
         response = make_request(uri.to_s)
@@ -252,6 +277,22 @@ def sanitize_region(region)
         normalized
       end
 
+      # Get safe Riot API hostname from whitelist (prevents SSRF)
+      def riot_api_host
+        host = REGION_HOSTS[@region]
+        raise SecurityError, "Region #{@region} not in whitelist" if host.nil?
+
+        host
+      end
+
+      # Get safe regional API hostname from whitelist (prevents SSRF)
+      def regional_api_host(endpoint_name)
+        host = REGIONAL_ENDPOINT_HOSTS[endpoint_name]
+        raise SecurityError, "Regional endpoint #{endpoint_name} not in whitelist" if host.nil?
+
+        host
+      end
+
       # Get regional endpoint for match/account APIs
       def get_regional_endpoint(platform_region)
         if AMERICAS.include?(platform_region)
diff --git a/app/modules/scrims/controllers/opponent_teams_controller.rb b/app/modules/scrims/controllers/opponent_teams_controller.rb
@@ -111,11 +111,17 @@ def destroy
         # sensitive operations (update/destroy). This ensures organizations can
         # only modify teams they have scrims with.
         # Read operations (index/show) are allowed for all teams to enable discovery.
+        #
+        # SECURITY: Unscoped find is intentional here. OpponentTeam is a global
+        # resource visible to all organizations for discovery. Authorization is
+        # handled by verify_team_usage! for modifications.
+        # rubocop:disable Rails/FindById
         def set_opponent_team
           @opponent_team = OpponentTeam.find(params[:id])
         rescue ActiveRecord::RecordNotFound
           render json: { error: 'Opponent team not found' }, status: :not_found
         end
+        # rubocop:enable Rails/FindById
 
         # Verifies that current organization has used this opponent team
         # Prevents organizations from modifying/deleting teams they haven't interacted with
