Kendi postback_secret'imi PostgREST PATCH ile değiştirebildim — affiliate trigger eksiği (PR #616 EEE F2)

Canakkale Kepez de 35 yaslarinda bagimsiz affiliate marketer + part-time DevSecOps engineer Hilal (@hilal_food, 52k TikTok Ege gastronomi + restaurant tech niche). Gunduz Canakkale OSB gida ihracat firmasinda DevSecOps, gece bug bounty + responsible disclosure. Sali aksami yeni shipped PR #609 CCC-B "dual-secret rotation" sweep okurken kafasinda soru: **affiliate kendisi PostgREST direct PATCH ile postback_secret degistirebilirse rotation pattern tamamen bypass edilir?** DevTools acti, kendi affiliate JWT siyle: `PATCH /rest/v1/affiliate_profiles?id=eq.<own_id> { "postback_secret": "attacker-chosen-known-secret" }` → **204 No Content**. PATCH basarili. Supabase realtime postback_secret yeni degere set. PR #524 GG (2026-04) RLS WITH CHECK gap kapatmak icin BEFORE UPDATE trigger pattern shipped — balance_cents, commission_rate, kyc_status gibi 10 alani RAISE EXCEPTION ERRCODE 42501 ile lockedu. Service_role bypass via JWT claims role check. Ama PR #524 GG privileged-field listesi manuel curated. **PR #609 CCC-B (2026-05) postback_url + postback_secret + postback_secret_prev + postback_secret_rotated_at eklendi ama trigger UPDATE EDILMEDI**. PR #524 GG zaten not etmisti: "yeni eklenmis hassas kolon trigger guncellemeyi unutursan default OPEN" — tam bu happened. **3 attack vector**: (1) postback_secret hijack HMAC forge attacker bilinen secret-li fake commission event craft + replay; (2) postback_url exfil attacker server a commission events exfil (Stripe customer email, transaction amount, restaurant info); (3) PR #609 CCC-B dual-secret rotation bypass OCC race-guard `AND postback_secret = ?` direct-PATCH ile bypass. Hilal 3 senaryoyu kendi test env de reproduce + security@thmenu.com PoC writeup. Engineering 1 saat reproduce + severity HIGH. PR #524 GG migration inspect: 10 IF block ama postback_* yok. **PR #616 batch EEE F2** fix sade — CREATE OR REPLACE FUNCTION atomic swap 4 yeni IF block: postback_url + postback_secret + postback_secret_prev + postback_secret_rotated_at hepsi `IF NEW.X IS DISTINCT FROM OLD.X RAISE EXCEPTION read-only USING ERRCODE = "42501"`. service_role bypass unchanged cron jobs / webhook handlers trigger atlar. Migration supabase/migrations/20260524000001_affiliate_coupon_postback_privileged_triggers.sql CREATE OR REPLACE FUNCTION atomic no downtime. Ayni migration affiliate_coupons icin de sibling trigger (EEE F1 ayri blog). 90-gun audit 0 prior exploit Hilal ilkti (PR #609 CCC-B 5 gun once shipped kisa exposure window). Hilal HIGH severity + €750 Wise + Hall of Fame + 1-year Pro tier. Tina Ljubljana Trnovo (@tinafoodtech, 44k Slovenian-Croatian niche) Maribor fintech DevSecOps version ayni flow. Pattern: **Supabase RLS USING policy yetmiyor PostgREST PATCH herhangi alan update edebilir. BEFORE UPDATE trigger pattern zorunlu. Privileged-field liste BLACKLIST > whitelist — yeni hassas kolon trigger guncellemeyi unutursan default LOCKED olur default OPEN degil.** Implementation checklist: (1) BEFORE UPDATE trigger pattern her UPDATE policy ile pair; (2) blacklist > whitelist default-deny; (3) migration yeni column check should be in trigger if sensitive; (4) CREATE OR REPLACE FUNCTION atomic swap; (5) PR template checklist mandatory tick; (6) pentest enumerate columns + direct PATCH affiliate JWT; (7) quarterly trigger source vs schema diff audit.

İlgili makaleler