New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Concurrent checkouts can lead to negative stock #4811

Closed
TWarszawski opened this Issue Aug 26, 2016 · 5 comments

Comments

Projects
None yet
4 participants
@TWarszawski
Copy link

TWarszawski commented Aug 26, 2016

Description

When two customers check out concurrently for the same product and the total quantity being ordered is greater than the quantity available, the stock can become negative even if the ‘Store Checkout’ setting under Stock is set to ‘no’.

Steps to reproduce

  1. Start site, create two customers, create/pick test product and allocate some stock.
  2. Both customers add the product to their carts such that each cart individually is under the available stock, but combined they exceed the available stock.
  3. Perform a checkout concurrently, making sure both customers finish checkout (click the ‘Confirm Order’ button) as close to the same time as possible.

We have reproduced this behavior on a single machine, by performing the above steps by simulating one customer in one browser window and another customer in a second browser window.

Expected Result

One of the two checkouts fails to complete.

Actual Result

Both checkouts succeed and the quantity for the product is negative in the admin console.

@danielkerr danielkerr closed this Aug 28, 2016

@danielkerr

This comment has been minimized.

Copy link
Contributor

danielkerr commented Aug 28, 2016

use your brain! its not hard to come up with a solution that does not involve coding!

@arnisjuraga

This comment has been minimized.

Copy link

arnisjuraga commented Mar 24, 2017

@TWarszawski - when a customer arrives in checkout, it created an order in "Missing orders" status.
At that moment, the product is not "reserved" or subtracted from stock. Because it's not bought yet. If the payment fails, the product will still be available.

E.g. think about Paypal payment. To be able implement this in every payment module, they should pre-check the availability of the product in the moment of payment processing.

Or - must "reserve" the product during checkout, which is even more complicated.

This can be something "nice to have", but if someone has a neat solution, I would be eager to look up.

@jberryman

This comment has been minimized.

Copy link

jberryman commented Apr 12, 2017

FYI from @TWarszawski and Peter Bailis' recent paper, concerning the voucher vulnerability #4812 which has been closed and comments blocked:

For example, in Magento [6], OpenCart [7], and Oscar [8], users can buy a single gift card, then spend it an unlimited number of times by concurrently issuing checkout requests.

The responses to these two tickets is baffling (and should be concerning to OpenCart users). I guess it will make for an entertaining slide at SIGMOD in a few weeks though.

@danielkerr

This comment has been minimized.

Copy link
Contributor

danielkerr commented Apr 13, 2017

@ghost

This comment has been minimized.

Copy link

ghost commented May 11, 2017

Hello Daniel (@danielkerr),

Clearly, based on their research (@TWarszawski) into the concurrent (ACIDRain) attacks on your product, the voucher can be misused before it is over.

Perhaps you have been a little bit too fast in responding to all the previous people mentioning this issue – without reading the full posts and related reports. No problem though, I understand, we are all busy.

Brendon (@jberryman) didn't talk about the expired (or already used) vouchers either. The problem relates only to the fast, concurrent attacks on the unspent vouchers.

Your further thoughts on this serious issue?

Kind regards,
Tomas J Stehlik

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment