AI recommend cache key truncation ile cross-tenant poison edebiliyordum — sha256ShortHex fix (PR #560 SS F2)

Trabzon Caykara 33-yas bagimsiz uygulama guvenligi arastirmacisi Esra 5-yil Synack Red Team @esra-appsec. Q1 2026 thMenu open-source repo POST /api/ai-recommend Cloudflare AI inference LLaMA 3.1 8B customer recommendation excludeIds context. const cacheKey = ai-rec:${restaurantId}:${[...excludeIds].sort().join(',').slice(0, 60)} 60-char truncate. Mental model UUID 32-char hex thMenu products 60 char ~2 UUID + virgul attacker iki UUID crafted aaaa1111...32hex,aaaa2222...32hex prefix paylasilan customer exclude set collision. Aysu legitimate exclude aaaa1111...,aaaa2222...,bbbb3333... truncate aaaa1111...,aaaa2222...,bbbb3 attacker crafted aaaa1111...,aaaa2222...,attacker ayni 60-char prefix 24-hour TTL KV cache hit attacker recommendation Aysu session. Lab repro crafted excludeIds KV poisoned. Niye kritik (a) brand damage cafe ogrenci rakam onerme; (b) allergen risk poisoned recommendation allergen profile ignore saglik risk; (c) SEO/citation pollution AI agent training data; (d) DoS amplifier prefix collision cache invalidate AI inference quota burn. Writeup CVSS 6.5 cache poisoning 24h TTL window. Engineering 3 yanlis teori (1) prefix 60→200 collision pencere daraltir elimine etmez attacker crafted yine collide; (2) cache kapat AI inference latency dusurur + Cloudflare AI quota burn artar performance + cost regression; (3) excludeIds.length bound helpful DoS amplifier ama collision root cause cozmez kisa input collision. Dogru pattern cryptographic hash + fixed-width + collision-resistant sha256ShortHex 16-char hex 64-bit entropy birthday attack 2^32 tries prohibitive. Adli analiz apps/web-menu/src/app/api/ai-recommend/route.ts sortedIds = [...new Set(excludeIds)].sort().join(',') cacheKey = ai-rec:${restaurantId}:${sortedIds.slice(0, 60)} KV cache key truncation + cache hit return .slice deterministic ama collision-prone. Production audit 90-gun 12847 unique cache key crafted poison real-world ~3 collision real-world rate %0.02 dusuk ama crafted %100 CVSS 6.5 MEDIUM low likelihood + high impact. PR #560 batch SS F2 3-katmanli fix Layer 1 sha256ShortHex helper apps/web-menu/src/lib/cache-key.ts crypto.subtle.digest SHA-256 TextEncoder hex map padStart slice 16-char 64-bit entropy birthday attack 2^32 input pratik imkansiz. cacheKey = ai-rec:${restaurantId}:${await sha256ShortHex(sortedIds, 16)}. Layer 2 MAX_EXCLUDE_IDS=200 input size bound 400 input_too_large server-side CPU cost sort + hash bound DoS amplifier dengeler legitimate customer ~30 excluded 200 generous cap. Layer 3 production audit + retro cache purge ai-rec:* prefix KV bucket temizlendi 24-hour fresh inference cache regeneration sha256ShortHex collision-free. Esra €1200 Wise bounty CVSS 6.5 + Hall of Fame + advisory board blog 2.3k Turkish security community. Anders Stockholm Sodermalm 38-yo 10-yil ex-King Mobile security team paralel disclosure €1400 LinkedIn 4.6k Nordic security research. Pattern cache key user-input truncation YERINE cryptographic hash SHA-256 short-hex 16 char 64-bit entropy fixed-width + collision-resistant + DoS-bound. Sibling sweep /api/ai-recommend SS F2 + /api/ai-pairing + /api/ai-upsells + /api/menu-search + /api/allergen-recommend hepsi sha256ShortHex. Implementation cache key user-input truncation asla + sha256ShortHex helper shared lib + input length cap MAX_EXCLUDE_IDS=200 + 400 reject + cache TTL balance + production audit existing cache key purge + PR template checkbox. PR #560 referans.

İlgili makaleler