asset-proxy handler tum R2 anahtarlari public yapmis SOC2 evidence leak — QQ F1 (PR #551)

Istanbul Bagcilar 32-yas bagimsiz bulut guvenligi danismani Cenk 6-yil 3-yil Vodafone TR platform security + 3-yil solo Cloudflare R2 + AWS S3 + GCS object storage konfigurasyon audit @cenk-r2sec bulut guvenligi blog. Q1 2026 thMenu open-source repo Worker handler comment-as-spec drift tarama cloudflare/src/handlers/asset-proxy.ts header docstring Serves affiliate marketing materials under /assets prefix backed by menu-images R2 bucket implementation handleAssetProxy url.pathname.slice('/assets/'.length) decode key MENU_IMAGES.get ANY key path gate yok. Lab test curl /assets/affiliate/banner1.png 200 banner beklendiği gibi curl /assets/backups/2026-05-12/meta.json 200 backup metadata public table isimleri + row counts + R2 file paths + backup encryption hint. /assets/soc2-evidence/Q1-2026/payouts.txt 200 SOC 2 compliance evidence affiliate payout summary + KYC audit trail + compliance assessor isimleri. /assets/menu-images/<arbitrary_restaurant_id>/ 200 cross-tenant menu resimleri. 3 R2 bucket prefix public-readable backups + soc2-evidence + menu-images affiliate/ icin tasarlanmis endpoint header path gate hic enforce edilmiyor. Writeup CVSS 9.1 CRITICAL data exposure + compliance breach + GDPR Art.32. Engineering 30 dakika reproduce ilk eylem 503 maintenance mode 60 dakika public asset traffic kesik affiliate dashboard marketing assets minor impact. Ikinci eylem 90-day Cloudflare access log audit /assets/backups/* + /assets/soc2-evidence/* + /assets/menu-images/* 12 request son 90 gun internal Cloudflare worker backup write + soc2-evidence write 0 external attacker query disclosure window sonra recon baslayabilir hizli ship. 3 yanlis teori (1) affiliate/ prefix validasyonu helper hizli fix dogru ama yetersiz future yeni prefix whitelist guncelleme zorunluluk whitelist dogru ama enforcement explicit + audit edilebilir; (2) R2 bucket policy restrict Cloudflare R2 bucket-level allowlist Worker disinda overhead Worker handler kendi gate temiz + visible; (3) URL whitelist regex frontend client-side bypass Worker handler server-side gate. Dogru pattern ALLOWED_ASSET_PREFIXES Set + explicit path gate + 404 not 403 enumeration-resistance. Adli analiz comment-as-spec drift pattern header Serves affiliate orijinal yazar implementation uyguladi sandi key url.pathname.slice /assets/ sadece prefix sıyırdı kalan path R2 key affiliate/ baslamasi beklenmis ama enforce yok CLAUDE.md §17 comment-as-spec drift en sinsi leak kaynagi. Production audit 28-gun backups + soc2-evidence Q1-Q4 + tum menu-images cross-tenant 7500 R2 object public-readable. PR #551 batch QQ F1 3-katmanli fix Layer 1 ALLOWED_ASSET_PREFIXES = ['affiliate/'] isAllowedAssetKey startsWith only affiliate/ accepted backups soc2-evidence menu-images explicit reject. Layer 2 explicit gate + 404 (not 403) enumeration-resistance attacker key existence enumeration yapamaz. Layer 3 structured audit log console.warn asset_proxy_rejected + key + ip Logpush + Sentry suspicious pattern detection recon attempts. Bonus R2 bucket-level lifecycle policy per-prefix backups + soc2-evidence read-restricted CORS + worker-only access + tek-yon write defense-in-depth Worker bypass scenario R2 bucket level access engellenmis. Sibling-surface sweep tum Worker handler comment-as-spec drift sweep asset-proxy.ts PR #551 QQ F1 fix + image-proxy.ts path-traversal regex PR #229 match + poll-check.ts auth gate PR #526 HH F2 + BBB F2 sweep match + custom-domain-resolver.ts DNS verification PR #568 TT-B F3 match + customer-magic-link.ts TTL + IP rate-limit PR #335 match + mcp-bridge/index.ts bearer auth PR #631 HHH F3 match. Cenk single case tum handler doc-implementation parity matrix doc'a eklendi yeni handler zorunlu check. Production audit 0 external attacker query disclosure 60 dakika 503 + 30 dakika fix + 30 dakika R2 bucket policy patch toplam exposure window Q1-Q4 2026 0 exploit. Cenk €3000 Wise CVSS 9.1 + Hall of Fame + advisory board priority seat Turkce blog 4.7k Turk DevSecOps topluluk CVSS 9.1 CRITICAL benchmark. Soren Copenhagen Vesterbro 35-yo 10-yr ex-Maersk platform security paralel disclosure €3500 LinkedIn 6.7k Nordic. Pattern Worker handler header docstring X yapar implementation gate explicit check comment-as-spec drift en sinsi leak kaynagi ALLOWED_PREFIXES set + explicit gate + 404 enumeration-resistance + audit log quartet R2/storage public-facing handler canonical. Implementation handler docstring vs implementation gate matching audit + ALLOWED_PREFIXES const Set + startsWith explicit + 404 not 403 + structured audit log + R2 bucket-level CORS + lifecycle defense-in-depth + production audit 90-day + PR template checkbox + quarterly doc-vs-implementation parity audit. PR #551 referans.

İlgili makaleler