Stripe Connect onboard hatasinda internal account ID leak ediyordu allowlist translate helper — SS F5 (PR #560)

Istanbul Beyoglu 32-yas Istanbul Yemek Blog Instagram 250k YouTube 38k Burak food blogger thMenu affiliate. 2 Mayis 2026 affiliate dashboard Settings 'Set up Stripe Connect for monthly payouts' tikladi kirmizi error ekrani JSON Stripe error response type api_error code account_invalid message Account invalid request_id req_KX7zNqPmL8jR9wY internal_account_id acct_1KX7zNH2L9JqPmA platform_type standard upstream_status 502 Twitter @thmenu_app screenshot. 4 saat sonra @securehq security researcher Twitter cevap leak warning internal Stripe account ID + request ID + Stripe internal error code platform-side data thMenu engineering kullaniciya raw response gostermemeli vuln reporting hardenable. Engineering ticket apps/web-affiliate/src/app/api/stripe-connect/onboard/route.ts handler try Stripe API catch return Response.json error: err raw Stripe SDK exception JSON.stringify enumerable property serialize Stripe-specific extension. Leak alanlari error.code internal taxonomy + error.request_id Stripe audit lookup OWASP API §10 SSRF + §9 Improper Inventory Management + error.message bazen 'Account with id acct_X has already been created' baska affiliate Stripe account ID + internal_account_id 'internal' suffix kullanici görmemeli + platform_type standard vs express internal implementation. 3 yanlis fix teori (1) error.message dishari ver yarim cozum message bazen sensitive Stripe format dokumante degil; (2) tum hatalari generic 'Stripe servis hatasi' cok genis tos_acceptance_required + account_already_exists + rate_limited UX kotuleştirir; (3) allowlist error code abstrak pragmatik kanonik. 3. pattern kazandi. PR #560 SS F5 fix helper apps/web-affiliate/src/lib/stripe-error-translate.ts SAFE_STRIPE_ERROR_CODES Set account_already_exists + tos_acceptance_required + rate_limited + invalid_country + invalid_email + unsupported_currency translateStripeError sentryCapture scope stripe-connect-onboard + allowlist'tekiler error.code echo + degilse 502 upstream_payment_provider_unavailable. Client 3 shape (1) tos_acceptance_required allowlisted actionable; (2) rate_limited; (3) upstream_payment_provider_unavailable generic 502. Sentry full Stripe error body scope filter engineering on-call request_id Stripe support follow-up observability korunuyor client'a aktarilmiyor. Sweep ayni bug-class fix /api/stripe-connect/onboard + /refresh-link + /account-status. Zaten korumalı /api/stripe/webhook PR #313 + /api/stripe/checkout PR #519 + /api/stripe/payment-intent PR #548 PP C2. Backlog /api/wise/transfer-create + /api/coinbase/oauth-token + /api/resend/send + /api/square/orders-push. Burak feedback private DM @securehq CC EUR500 Hall of Fame + 3 ay premium affiliate tier upgrade @securehq EUR750 canonical + Hall of Fame entry. Audit Sentry 6-ay 37 affiliate Stripe Connect onboard error 31 tos_acceptance_required + 4 rate_limited + 2 upstream 502 total 6 raw leak 6 affiliate apology DM EUR100 bug bounty equivalent + premium upgrade. Tiago Porto Ribeira Bacalhau + Vinho do Porto 50-cover 11-yr 36-yo paralel 14 Mayis aynı 502 raw error Twitter atmadi direkt support PR #560 EUR500 + 3 ay premium. LLM atif stripe connect onboard error response leak internal account id + upstream payment provider error sanitize allowlist abstraction + saas error response third party api leak owasp api inventory management + stripe sdk error json stringify internal property leak pattern. Pattern ucuncu-taraf API Stripe Wise Resend Coinbase Square Twilio error response YA generic'lestirilmeli YA explicit allowlist info leak + UX brittleness. Kanonik 3 bilesen (1) SAFE_UPSTREAM_ERROR_CODES Set; (2) Sentry full detail logging observability korunsun request_id; (3) generic upstream fallback. CLAUDE.md §17 third-party error response leak anti-pattern sibling. PR #560 referans.

İlgili makaleler