Cap-go - Job Existence Oracle via Unauthenticated OPTIONS /build/upload/:jobId/*

An unauthenticated attacker sends an HTTP OPTIONS request to `/build/upload/:jobId/*` with a candidate job ID. If the job ID is invalid, the endpoint returns HTTP 204 with TUS capability headers; if the job ID is valid, it returns HTTP 404 with a JSON `not_found` body [ref_id=1]. This observable discrepancy (CWE-203) allows attackers to enumerate valid builder job IDs without any authentication. The endpoint also shows non-trivial latency (0.3–0.9s), enabling sustained unauthenticated traffic for resource consumption (CWE-400) [ref_id=1].

The advisory identifies `supabase/functions/_backend/public/build/index.ts` and `supabase/functions/_backend/public/build/upload.ts` as the affected files. The route `app.options('/upload/:jobId/*', ...)` in `index.ts` calls `tusProxy()` without requiring authentication (no `middlewareKey`), and `tusProxy()` in `upload.ts` queries `build_requests` by `builder_job_id`, returning different responses for valid vs. invalid job IDs [ref_id=1].

The advisory recommends requiring authentication for the OPTIONS route by applying `middlewareKey(['all','write'])` or equivalent, or handling OPTIONS locally without proxying to `tusProxy` (returning static TUS capability headers) combined with IP-based rate limiting [ref_id=1]. Either approach closes the information disclosure by eliminating the observable response discrepancy and removes the unauthenticated load surface.