Skip to content

fix(payments-next): [f001] getCart mints Stripe Customer Session secret without ownership check#20840

Merged
elizabeth-ilina merged 1 commit into
mainfrom
PAY-3795-f-001-get-cart-mints-stripe-customer-session-secret-without-ownership-check
Jul 13, 2026
Merged

fix(payments-next): [f001] getCart mints Stripe Customer Session secret without ownership check#20840
elizabeth-ilina merged 1 commit into
mainfrom
PAY-3795-f-001-get-cart-mints-stripe-customer-session-secret-without-ownership-check

Conversation

@elizabeth-ilina

@elizabeth-ilina elizabeth-ilina commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Because

  • Cart read/mutate paths must verify ownership when cart.uid is set to prevent an attacker with a cart's UUID from reading someone else's information.

This pull request

  • Adds a uid check to various cart read/mutate actions.
  • Redirects accordingly when this error is thrown

Issue that this pull request solves

Closes:

Checklist

Put an x in the boxes that apply

  • My commit is GPG signed.
  • If applicable, I have modified or added tests which pass locally.
  • I have added necessary documentation (if appropriate).
  • I have verified that my changes render correctly in RTL (if appropriate).
  • I have manually reviewed all AI generated code.

How to review (Optional)

  • Key files/areas to focus on:
  • Suggested review order:
  • Risky or complex parts:

Screenshots (Optional)

Screen.Recording.2026-07-10.at.1.37.39.PM.mov
Screen.Recording.2026-07-10.at.1.39.39.PM.mov

Other information (Optional)

Any other information that is important to this pull request.

@elizabeth-ilina elizabeth-ilina force-pushed the PAY-3795-f-001-get-cart-mints-stripe-customer-session-secret-without-ownership-check branch from 4e6a561 to 0e0c0de Compare July 9, 2026 20:43
@elizabeth-ilina elizabeth-ilina marked this pull request as ready for review July 9, 2026 20:43
@elizabeth-ilina elizabeth-ilina requested a review from a team as a code owner July 9, 2026 20:43
@elizabeth-ilina elizabeth-ilina marked this pull request as draft July 10, 2026 15:24
@elizabeth-ilina elizabeth-ilina force-pushed the PAY-3795-f-001-get-cart-mints-stripe-customer-session-secret-without-ownership-check branch from 0e0c0de to d78875d Compare July 10, 2026 16:27
@elizabeth-ilina elizabeth-ilina marked this pull request as ready for review July 10, 2026 17:42
@elizabeth-ilina elizabeth-ilina force-pushed the PAY-3795-f-001-get-cart-mints-stripe-customer-session-secret-without-ownership-check branch from d78875d to dac8c59 Compare July 10, 2026 18:03
Comment thread libs/payments/cart/src/lib/cart.service.ts
@elizabeth-ilina elizabeth-ilina marked this pull request as draft July 10, 2026 22:15
@elizabeth-ilina elizabeth-ilina force-pushed the PAY-3795-f-001-get-cart-mints-stripe-customer-session-secret-without-ownership-check branch 2 times, most recently from ea9cc11 to a47b411 Compare July 13, 2026 12:24
@elizabeth-ilina elizabeth-ilina marked this pull request as ready for review July 13, 2026 12:41
@elizabeth-ilina elizabeth-ilina force-pushed the PAY-3795-f-001-get-cart-mints-stripe-customer-session-secret-without-ownership-check branch from a47b411 to e7a5d09 Compare July 13, 2026 14:05
…et without ownership check

Because:

* Cart read/mutate paths must verify ownership when cart.uid is set to prevent an attacker with a cart's UUID from reading someone else's information.

This commit:

* Adds a uid check to various cart read/mutate actions.

Closes #[PAY-3795](https://mozilla-hub.atlassian.net/browse/PAY-3795)
@elizabeth-ilina elizabeth-ilina force-pushed the PAY-3795-f-001-get-cart-mints-stripe-customer-session-secret-without-ownership-check branch from e7a5d09 to 9c6af8a Compare July 13, 2026 16:23

@StaberindeZA StaberindeZA left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r+. LGTM ty!

@elizabeth-ilina elizabeth-ilina merged commit 8b340e2 into main Jul 13, 2026
17 of 19 checks passed
@elizabeth-ilina elizabeth-ilina deleted the PAY-3795-f-001-get-cart-mints-stripe-customer-session-secret-without-ownership-check branch July 13, 2026 16:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants