← Back to Baseline

MB-R099

File download and export endpoints require authorization

C03 Secure Coding Practices High

Custom download, invoice, report, and export endpoints must verify user authorization and object ownership before returning files. Unprotected endpoints can expose orders, customer data, invoices, exports, or payment-related records. Enforce ACL checks, signed URLs with short lifetimes where appropriate, and storage outside public web paths.

Why it Matters

Export and download endpoints often expose orders, customers, invoices, logs, or operational reports. If these endpoints lack authorization, predictable filenames, or expiry, sensitive data can be downloaded by unauthorized users.

Authorization and short-lived access keep exported data from becoming a permanent public artifact.

Verification Steps

Endpoint review

grep -RIE "(download|export|csv|fileFactory|create\()" app/code 2>/dev/null
# Check for ACL/customer ownership before file response

Direct access test

# Try export/download URL as anonymous user and low-privilege account
# Expected: denied

Remediation / Fix Guidance

  1. Require ACL, customer ownership, or signed short-lived tokens before downloads.
  2. Store generated exports outside public webroot.
  3. Use unpredictable filenames and delete exports after use.
  4. Avoid exposing raw filesystem paths in responses.
  5. Log export creation and download events for sensitive data.

Examples

Fail Example
https://mystore.com/export/orders.csv
# Public static export with customer data → FAIL
Pass Example
Export generated outside webroot, requires ACL, expires after 10 minutes, and is deleted after download.
# Controlled export → PASS

References