Worker anomaly-resolve endpoint allowlist yoktu direct Bearer arbitrary resolution bypass — TT F5 (PR #565)

Istanbul Kadikoy Moda 34-yas bagimsiz API/DevSecOps researcher Selcuk 8-yil 5-yil Hepsiburada platform security + 3-yil solo @selcuk-devsec Turk + EU SaaS worker layer + API gateway security audit. Q1 2026 thMenu open-source repo internal worker vs Next.js validation parity test affiliate anomaly resolution superadmin Next route + Cloudflare Worker /api/affiliate/anomaly-resolve API_SECRET_KEY Bearer internal cron + script + future MCP. Next.js arbitrary string validate ediyor mu worker bypass mi? cloudflare/src/handlers/affiliate-anomaly-resolve.ts const body = await req.json(); UPDATE affiliate_anomalies SET resolved=1, resolution=?, resolved_by=?, resolved_at=? WHERE id=?. 4 problem (1) resolution ANY string allowlist yok beklenen dismissed/suspended/banned anomaly state machine attacker resolution=free_pro_tier_forever <script>; (2) resolved_by ANY string beklenen system veya UUID v4 attacker resolved_by=ghost_admin audit log bulanik; (3) row-existence check + race-guard yok UPDATE blindly 0 row 200 OK race condition concurrent resolve overwrite history; (4) audit log yok structured logging direct-worker caller cron script MCP attacker audit trail yansimiyor. Threat model Next.js Zod enum + auth + CSRF guvenli ama API_SECRET_KEY Bearer leak attacker direct worker arbitrary resolution + arbitrary resolved_by + history overwrite + audit blur defense-in-depth gap. Writeup CVSS 5.8 MEDIUM privilege escalation via secret leak + audit trail compromise. Engineering 3 yanlis teori (1) API_SECRET_KEY zaten gizli leak hipotetik PR #585 XX F2 backup encryption + PR #560 SS F1 BACKUP_SKIP_DATA gibi katmanli defense pattern; (2) Next.js upstream worker silently trust worker doğrudan callable public endpoint cron + script + MCP trust model upstream validation already done varsayamiyor; (3) resolved_by free-form ops flexibility audit log integrity canonical olmali system veya UUID arbitrary blur SOC 2 CC7.1 evidence integrity dusurur. PR #565 batch TT F5 4-katmanli hardening Layer 1 ANOMALY_RESOLUTIONS allowlist Set dismissed/suspended/banned 422 invalid_resolution. Layer 2 RESOLVED_BY_PATTERN regex ^(system|UUID v4)$ 422 invalid_resolved_by ghost_admin reject. Layer 3 race-guard UPDATE AND resolved=0 + meta.changes=0 404 not_found_or_already_resolved concurrent re-resolve fail. Layer 4 structured console.log audit trail event + anomaly_id + resolution + resolved_by + resolved_at + caller_ip Logpush + Sentry SOC 2 evidence + suspicious pattern detection. Production audit 90-gun 247 call hepsi legitimate 0 leak-exploit pattern defense-in-depth secret leak senaryosu hipotetik kalmis. Selcuk lab bypass denedi arbitrary resolution 422 + arbitrary resolved_by 422 + re-resolve 404. Selcuk €1200 Wise CVSS 5.8 + Hall of Fame + security advisory board blog 1.9k Turkish DevSecOps community. Felix Bristol Stokes Croft 36-yo 9-yr ex-Monzo platform security paralel disclosure €1400 LinkedIn 4.0k UK DevSecOps. Pattern Worker handler upstream Next.js trust etmemeli her layer ayrı validation allowlist set + regex pattern + race-guard + structured audit log quartet state-changing worker endpoint. Sibling sweep /api/affiliate/anomaly-resolve TT F5 + /api/affiliate/postback-secret/rotate PR #609 CCC-B dual-secret + OCC + /api/admin/erase-user PR #611 DDD F1 audit log + /api/cron/inventory-predict PR #606 CCC F1 claim-rollback + /api/cron/feedback-sentiment PR #639 IV F4 poison-pill + /api/superadmin/affiliate/[id]/status PR #660 X F4 OCC race-guard. Implementation worker handler identify + allowlist set + regex pattern + race-guarded UPDATE + meta.changes 404 + structured console.log audit + PR template checkbox + quarterly grep audit. PR #565 referans.

İlgili makaleler