Skip to content

Fix double refund race condition vulnerability #1406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ArnavBallinCode wants to merge 15 commits into
base: dev
Choose a base branch
from
Open

Fix double refund race condition vulnerability #1406

Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
1561492
Fix double refund race condition vulnerability
ArnavBallinCode Dec 1, 2025
4ea2aaf
optimize refund locking to single query.
ArnavBallinCode Dec 1, 2025
c6f50c9
Merge branch 'enext' into fix/double-refund-race-condition
ArnavBallinCode Dec 8, 2025
d40eaca
Update app/eventyay/api/views/order.py
ArnavBallinCode Dec 9, 2025
c5278c8
Update app/eventyay/api/views/order.py
ArnavBallinCode Dec 9, 2025
75e0729
added test for race condition
ArnavBallinCode Dec 9, 2025
0970534
fixed test
ArnavBallinCode Dec 9, 2025
ca66d0b
Merge branch 'enext' into fix/double-refund-race-condition
ArnavBallinCode Dec 9, 2025
dbc101d
Merge branch 'enext' into fix/double-refund-race-condition
ArnavBallinCode Dec 9, 2025
50b4755
Merge branch 'enext' into fix/double-refund-race-condition
mariobehling Dec 10, 2025
a7ac676
Merge branch 'enext' into fix/double-refund-race-condition
mariobehling Dec 10, 2025
1c0e2f3
Remove test
ArnavBallinCode Dec 10, 2025
03a213a
Merge branch 'enext' into fix/double-refund-race-condition
ArnavBallinCode Dec 13, 2025
f50b5a6
Merge branch 'enext' into fix/double-refund-race-condition
ArnavBallinCode Dec 17, 2025
55974bf
Merge branch 'enext' into fix/double-refund-race-condition
ArnavBallinCode Dec 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion app/eventyay/api/views/order.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1247,8 +1247,14 @@ def confirm(self, request, **kwargs):
return self.retrieve(request, [], **kwargs)

@action(detail=True, methods=['POST'])
@transaction.atomic
Copy link
Member

@hongquan hongquan Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Putting transaction.atomic here doesn't work, because this refund function already handle an PaymentException:

try:
    r.payment_provider.execute_refund(r)
except PaymentException as e:

Read the Avoid catching exceptions inside atomic! note.

def refund(self, request, **kwargs):
payment = self.get_object()
# Acquire row-level lock on payment to prevent concurrent refund race conditions.
# We reuse DRF's filtering & permission logic while issuing a single SELECT ... FOR UPDATE.
queryset = self.filter_queryset(self.get_queryset().select_for_update())
lookup_url_kwarg = self.lookup_url_kwarg or self.lookup_field
lookup_value = self.kwargs[lookup_url_kwarg]
payment = get_object_or_404(queryset, **{self.lookup_field: lookup_value})
amount = serializers.DecimalField(max_digits=10, decimal_places=2).to_internal_value(
request.data.get('amount', str(payment.amount))
)
Expand All @@ -1265,6 +1271,7 @@ def refund(self, request, **kwargs):

full_refund_possible = payment.payment_provider.payment_refund_supported(payment)
partial_refund_possible = payment.payment_provider.payment_partial_refund_supported(payment)
# Calculate available amount under lock - prevents TOCTOU race condition
available_amount = payment.amount - payment.refunded_amount

if amount <= 0:
Expand Down