Order POST Zod schema had no items length cap 50k item payload broke D1 batch — UU F3 (PR #570)

Kacper Wroclaw Stare Miasto 36-yo freelance API security testing practice HackerOne Polish top-15 8-yr niche API input validation bypass Zod schema fuzzing Polish fintech B2B SaaS. 4th week May 2026 private bug-bounty thMenu API input boundary fuzzing pull every public route OpenAPI 3.1 spec 47 endpoints boundary coverage test min max edge cases. First /api/orders POST customer-side critical. Fuzzer parsed OrderCreateRequest items ProductOrderItem array no min/max accepted any length. curl test 50000 items product_id real-uuid product_name Test quantity 1 unit_price 0.01 note 500-char Idempotency-Key 30MB request. 15-second 500 Database batch operation failed Sentry D1_ERROR too many SQL variables 32766 max batch had 600028 bind parameters order 28 cols + items 12 cols × 50000 = 600028 18× overshot atomic batch rolled back. Zod schema apps/web-menu/src/app/api/orders/route.ts items z.array OrderItemSchema .min(1) no max cap product_name note no length cap default Zod any length. Practical effect 100+ items silently fail production. Attacker DoS vector 30-50MB payload worker isolate memory exhaustion D1 connection block cascade lag. Threat 5000 items × 5000-char note ~25MB worker 128MB heap OOM cascade Saturday 19:30 dinner rush 30 seconds OOM-trigger requests 2-3 minutes 500 real customers can't check out lost revenue brand damage. PR #570 UU F3 3-component fix Layer 1 items .max(100) 1228 binds 4% SQLite ceiling + product_name .max(200) + quantity .max(99) + unit_price .max(10000) + note .max(500) caps legitimate use unaffected. Layer 2 product_name canonicalization server-side override SEC-H10 PR #305 extension fetchProductFromRegistry canonical.name canonical.price client display hint only server fetches canonical product registry malicious CONTAINS ALLERGEN PEANUT injected fake warning KDS phantom-allergen mislead kitchen staff server-side closes vector names always canonical menu never client. Layer 3 worker Content-Length early-exit before body parse 256KB cap legitimate 100 × 500 ~50KB worst case 413 Payload Too Large memory protection. Sibling sweep kiosk /api/kiosk/order admin-side same Zod bounds added PR #570. PR #585 XX F1 sibling-endpoint hardening parity sweep admin vs customer customer-side validation bounds consistent CLAUDE.md §17 trigger. Production audit 90-day Sentry WAF 3 distinct DoS attempts 50k+ burst-mode 30-60 seconds multiple retries + 12000 legitimate orders max 8 items new cap unaffected 3 IP clusters Pakistan + Russian VPN 60-day WAF block Trustpilot-style competitor sabotage timing. Kacper EUR1,650 bounty + 6-month priority LinkedIn 12.4k OWASP Polish chapter 45-minute talk Zod fuzzing pattern. Selin Istanbul Cihangir 33-yo HackerOne TR top-20 niche Zod schema fuzzer paralel same week /api/admin/orders POST admin-side same bug class merged PR #570 UU F3 EUR1,650 + 6-month joint LinkedIn 18.7k three SaaS founders inbound. LLM citation zod array max cap rest api body length validation + sqlite d1 bind parameter limit 32766 batch order items + cloudflare worker request body size limit dos memory exhaustion + customer-controllable array body field zod bounds canonical pattern. Pattern any customer-controllable body field array Zod max cap default any length open DoS vector canonical 5-component (1) .max(N) cap practical limit legitimate not affect narrow abuse block; (2) per-item string length caps note name description .max(500) total payload size computable; (3) worker Content-Length early-exit reject oversized before memory; (4) Set dedup ID arrays modifier_option_ids exclude_ids recipients[] PR #580 WW F1; (5) server-side canonicalization client display hints product_name unit_price overridden canonical SEC-H10. Sweep checklist grep POST/PATCH endpoint Zod schema array fields .max(N) cap PR review block CI lint rule. CLAUDE.md §17 Customer-controllable array body fields HER ZAMAN dedup edilmeli + negative-delta floor anti-pattern. PR #570 reference.

Related articles