MB-R099
Custom download, invoice, report, and export endpoints must verify user authorization and object ownership before returning files. Unprotected endpoints can expose orders, customer data, invoices, exports, or payment-related records. Enforce ACL checks, signed URLs with short lifetimes where appropriate, and storage outside public web paths.
Export and download endpoints often expose orders, customers, invoices, logs, or operational reports. If these endpoints lack authorization, predictable filenames, or expiry, sensitive data can be downloaded by unauthorized users.
Authorization and short-lived access keep exported data from becoming a permanent public artifact.
grep -RIE "(download|export|csv|fileFactory|create\()" app/code 2>/dev/null
# Check for ACL/customer ownership before file response
# Try export/download URL as anonymous user and low-privilege account
# Expected: denied
https://mystore.com/export/orders.csv
# Public static export with customer data → FAIL
Export generated outside webroot, requires ACL, expires after 10 minutes, and is deleted after download.
# Controlled export → PASS