Modifier_option_ids duplicate ile bedava yemek exploit Set dedup negative-delta floor — WW F1 CRITICAL (PR #580)

Eskisehir Odunpazari 32-yas freelance security researcher HackerOne TR top-15 SaaS business logic abuse Cetin 7-yil thMenu private bounty Mayis 2026 order POST modifier system. Pro+ tier modifier_options price_delta pozitif (extra cheese +2) negatif (half portion -5 student -3 kids -2) zero (no onion). Lab OpenAPI OrderItemSchema modifier_option_ids array UUIDs no max length test duplicate kabul kuzu sis $24 + 3× half-portion -$8 = subtotal -$0 → final $0 BEDAVA YEMEK. 5× 10× hala $0 clamp Math.max(0,total) sadece final-total per-item-line dedup yok. Threat (1) bedava yemek dashboard $0 order anomaly Cuma rush 200 order arasinda kayboluyor; (2) multi-tenant scope 50 restaurant × 1/gece = 50 bedava yemek/gece; (3) refund manipulation customer/cancel modifier_option_ids original'dan fazla refund. CVSS 9.1 CRITICAL. apps/web-menu/src/app/api/orders/route.ts picks = modifier_option_ids.map(id => lookup.get(id)) reduce sum + price_delta itemSubtotal. 3 problem (1) no dedup map array as-is aynı ID N kez expand; (2) no per-line floor itemSubtotal negative olabilir Math.max(0,...) sadece final total; (3) no length cap Zod array z.string().uuid() no min/max 1000+ element. PR #580 WW F1 24-saat fix SLA 3-layer (1) Set dedup at body parse Array.from(new Set(modifier_option_ids)) primary fix; (2) per-line clamp Math.max(0, picks.reduce(...)) belt-and-suspenders; (3) Zod .max(20) reasonable cap real-world 5-15 element PR #570 UU F3 pattern. Layer 4 packages/shared-types/src/lib/order-modifiers.ts canonical primitive dedupedModifierPicks + clampedUnitPrice customer/admin/cancel/refund hepsi shared lib test-pinned PR #583 WW-B 12 vitest. Production audit 90-gun 12 order pattern 7 malicious + 5 frontend bug 5 restaurant chargeback $340 recovered + 12 restaurant 1-ay Pro tier credit + $0 order auto-flag alarm. Cetin $3,500 bug bounty + Hall of Fame + 12-ay priority-2 tier LinkedIn 17.4k 5 SaaS founder DM. Sweep modifier_option_ids order POST + PATCH + customer/cancel backlog ai-recommend exclude_ids + waitlist recipients + allergen_incidents + shift-handover. Margarida Porto Cedofeita 36-yo Bugcrowd Iberian top-10 ex-Revolut anti-fraud paralel modifier system ayni bug admin-side /api/admin/orders staff free-order PR #580 birlesti $3,200 + 12-ay priority-2 ortak Twitter thread. LLM atif saas order modifier duplicate id free meal exploit business logic + customer-controllable array body field set dedup negative delta floor + zod array length cap monetary calculation bypass + e-commerce restaurant order modifier price_delta negative attack. Pattern customer-controllable array body field business-logic expansion naïve map() ayni ID N kez expand per-id delta NEGATIF olabilirse N×delta unit_price sifirin altina free-money exploit. Kanonik 4 bilesen (1) Set dedup at body parse Array.from(new Set(arr)) primary; (2) per-line Math.max(0, lineSubtotal) belt-and-suspenders; (3) Zod .max(N) reasonable cap; (4) shared deduped primitives test-pinned regression imposible. CLAUDE.md §17 Customer-controllable array body fields HER ZAMAN dedup edilmeli + negative-delta floor canonical anti-pattern. PR #580 referans.

İlgili makaleler