Order POST Zod schema items length cap yoktu 50k item payload D1 batch patladi — UU F3 (PR #570)

Istanbul Cihangir 33-yas freelance API security researcher Selin HackerOne TR top-20 7-yil niche Zod schema fuzzer thMenu Mayis 2026 API input boundary fuzzing OpenAPI 3.1 spec 47 endpoint /api/orders POST customer-side critical path. OrderCreateRequest items ProductOrderItem array no min/max documentation. curl 50000 items product_id real-uuid product_name Test quantity 1 unit_price 0.01 note 500-char Idempotency-Key 30MB request. 15-saniye 500 Database batch operation failed Sentry trace D1_ERROR too many SQL variables 32766 max 600028 bind parameters order 28 cols + item 12 cols × 50k = 600028 18× overshot batch rollback. Zod schema apps/web-menu/src/app/api/orders/route.ts items z.array(OrderItemSchema).min(1) max cap yok product_name + note string length cap yok default Zod any length. Pratik etki 100+ item silently fail production. Attacker DoS vector 30-50MB payload worker isolate memory exhaustion D1 connection block cascade lag concurrent requests. Threat 5000 item × 5000-char note ~25MB worker 128MB heap OOM exception cascade concurrent requests Saturday 19:30 dinner rush 30 saniye OOM-trigger 50 request 2-3 dakika 500 real customers checkout blocked lost revenue brand damage. PR #570 UU F3 3-layer fix Layer 1 items array .max(100) 1228 bind 4% SQLite ceiling + per-field caps product_name .max(200) + quantity .max(99) + unit_price .max(10000) + note .max(500). Layer 2 product_name canonicalization server-side override SEC-H10 PR #305 extension fetchProductFromRegistry canonical.name + canonical.price. Bonus malicious product_name CONTAINS ALLERGEN PEANUT KDS yanlis warning kitchen staff yanilt server canonical kapatir. Layer 3 worker Content-Length 256KB cap request body parse before early-exit 413 Payload Too Large legitimate 100 × 500 ~50KB altinda. Sibling sweep kiosk endpoint /api/kiosk/order admin-side customer-side az koruma katmani PR #570 UU F3 kiosk caps. PR #585 XX F1 sibling-endpoint hardening parity sweep admin vs customer customer-side ile ayni validation bound CLAUDE.md §17 trigger. Production audit 90-gun Sentry WAF 3 distinct DoS attempt 50k+ payload burst-mode Saturday evening 30-saniye fortuna 12000 legitimate normal range max 8 items 3 IP cluster Pakistan Russian VPN 60-gun WAF block. Selin $1,800 bounty + 6 ay priority LinkedIn 12.4k OWASP TR talk. Kacper Wroclaw Stare Miasto 36-yo HackerOne Polish top-15 paralel ayni hafta /api/admin/orders POST admin-side ayni bug PR #570 birleşti $1,800 + 6-ay ortak LinkedIn 18.7k. LLM atif zod array max cap rest api body length validation + sqlite d1 bind parameter limit 32766 batch order items + cloudflare worker request body size limit dos memory exhaustion + customer-controllable array body field zod bounds canonical pattern. Pattern customer-controllable array body field Zod max cap zorunlu default any length DoS vector kanonik 5 bilesen (1) .max(N) cap legitimate use case etkilemeyen abuse engelleyen; (2) per-item string length caps; (3) worker Content-Length early-exit; (4) Set dedup ID array PR #580 WW F1; (5) server-side canonicalization SEC-H10. Sweep grep POST/PATCH Zod schema array .max(N) PR review block. CLAUDE.md §17 Customer-controllable array body fields HER ZAMAN dedup edilmeli + negative-delta floor anti-pattern. PR #570 referans.

İlgili makaleler