PostgREST URL injection bug buldum — affiliate handler Supabase RLS bypass vector (PR #646 VI F2)

Istanbul Kadikoy Moda da 35 yaslarinda penetration tester + security researcher Cem (@cembug), weekend SaaS API testing + bug bounty. Pazar sabahi thMenu affiliate dashboard a Burp Suite proxy. Normal GET /api/affiliate/transactions?affiliate_id=cem123 → 47 row own transactions. URL manipulated: ?affiliate_id=cem123&or=affiliate_id.eq.competitor456 → response 47 + 23 = 70 row OWN + competitor s transactions. **Cross-tenant data exposure via PostgREST URL injection**. PostgREST filter syntax (eq, or, in, gt, lt) allows operator composition; client-supplied input directly URL-interpolated allows injection. thMenu support forensik: PostgreSQL slow query log "SELECT * FROM affiliate_transactions WHERE (affiliate_id = cem123) OR (affiliate_id = competitor456)". Bekle — RLS policy auth.uid() = affiliate_id, Cem nin JWT cem123 ise sadece cem123 visible olmali. Niye 70 row? Workers Route kodu: `const url = ${supabaseUrl}/rest/v1/affiliate_transactions?affiliate_id=eq.${affiliateId}&${qs}; fetch(url, { headers: { Authorization: Bearer ${SUPABASE_SERVICE_ROLE_KEY}, apikey: SUPABASE_SERVICE_ROLE_KEY } })`. **İki ayrı problem**: (1) URL construction manual template literal + qs query string forward → Cem in or= injection landed. (2) **Service-role key used → RLS bypass**. Service-role secret-leak veya input-injection ile bu trust assumption kirilir. Combined: OR injection + service-role bypass = cross-tenant exposure. **PR #646 batch VI F2** iki katmanli fix: (1) supabase-js client query builder kullan: `supabase.from(table).select().eq(column, value)` — proper escaping, no operator injection. (2) Anon key + user JWT — service-role yerine user JWT Authorization. PostgreSQL auth.uid() Cem in id sini gorur, RLS policy enforce edilir. Defense-in-depth: iki katman bagimsiz vector u kapatir. Cem e: critical severity rating + $500 Wise transfer + Hall of Fame + 1-year unlimited Pro tier. Impact: 90 gun audit log review etti, hicbir onceki exploit yok — Cem ilkti, responsibly disclosed. Pattern: PostgREST API ye giden URL leri ASLA manuel insa etme (template literal, string concat); always supabase-js client query builder. Service-role sadece admin operations icin (cron, webhook, scheduled); user-facing endpoint lerde anon key + user JWT.

İlgili makaleler