Shipped status includes or links to tracking information

Why it matters

Marking an order 'shipped' with no tracking information means the customer cannot follow their package, support staff cannot look up the shipment when a delivery dispute arises, and the shipment email (if it exists) contains nothing actionable. A 'your order has shipped' notification with no tracking number is effectively a lie by omission — it closes the customer's window of action while giving them nothing to work with. This gap also cascades into the OWASP A01 risk surface if the tracking update endpoint accepts shipping confirmation without validating that the actor has captured required fulfillment data.

Remediation

Add trackingNumber, trackingCarrier, and shippedAt fields to the order schema in prisma/schema.prisma, then require them in lib/orders/shipping.ts when marking an order shipped.

// lib/orders/shipping.ts
export async function markOrderShipped(
  orderId: string,
  trackingNumber: string,
  carrier: string,
  actorId: string
) {
  if (!trackingNumber) throw new Error('Tracking number required to mark order shipped')
  await transitionOrder(orderId, 'shipped', actorId)
  await db.orders.update({
    where: { id: orderId },
    data: { trackingNumber, trackingCarrier: carrier, shippedAt: new Date() },
  })
}

Detection

ID: ecommerce-order-management.order-lifecycle.tracking-info
Severity: high
What to look for: Find the code path that transitions an order to shipped status. Count the tracking-related fields available on the order model or a linked shipments table — look for tracking_number, shipment_id, carrier, or tracking_url. Quote the exact field names found in the schema. Check whether the admin interface for marking orders as shipped includes a form field for entering tracking information. At least 1 tracking field must exist to pass.
Pass criteria: Orders in shipped status have or link to tracking information. At minimum 1 tracking field (tracking_number, shipment_id, or tracking_url) exists on the order model or a linked shipments table and is expected to be populated when marking an order shipped. The admin interface for shipping an order includes a tracking number input. A shipped handler that accepts no tracking data parameters does not count as pass.
Fail criteria: Orders can be marked as shipped with status alone — no mechanism exists to capture or store tracking information alongside the status change (0 tracking fields in schema). The admin "mark as shipped" action only updates the status field.
Skip (N/A) when: The project does not track shipments internally — it delegates all shipping and tracking to a third-party fulfillment or logistics platform that handles tracking independently, and the project only receives webhooks for status updates. No shipped status value exists in the codebase.
Detail on fail: "The admin 'Mark as Shipped' action updates order status to 'shipped' but does not accept or store a tracking number. 0 tracking fields (tracking_number, shipment_id, carrier) exist on the order model. Customers cannot be given tracking information."
Cross-reference: If tracking info is not captured here, the shipment-email notification check will also likely fail or produce a useless notification — a shipment email without tracking info is ineffective.

Remediation: Add tracking fields to your order model (in prisma/schema.prisma) and require them when marking an order shipped in lib/orders/shipping.ts:

// Schema addition (prisma/schema.prisma):
// trackingNumber  String?
// trackingCarrier String?
// shippedAt       DateTime?

// Shipping handler (lib/orders/shipping.ts):
export async function markOrderShipped(
  orderId: string,
  trackingNumber: string,
  carrier: string,
  actorId: string
) {
  if (!trackingNumber) {
    throw new Error('Tracking number is required to mark an order as shipped')
  }
  await transitionOrder(orderId, 'shipped', actorId)
  await db.orders.update({
    where: { id: orderId },
    data: { trackingNumber, trackingCarrier: carrier, shippedAt: new Date() },
  })
}

This ensures tracking data is captured at the moment of shipping and can be included in the shipment notification email to the customer.

Why it matters

Remediation

Add trackingNumber, trackingCarrier, and shippedAt fields to the order schema in prisma/schema.prisma, then require them in lib/orders/shipping.ts when marking an order shipped.

// lib/orders/shipping.ts
export async function markOrderShipped(
  orderId: string,
  trackingNumber: string,
  carrier: string,
  actorId: string
) {
  if (!trackingNumber) throw new Error('Tracking number required to mark order shipped')
  await transitionOrder(orderId, 'shipped', actorId)
  await db.orders.update({
    where: { id: orderId },
    data: { trackingNumber, trackingCarrier: carrier, shippedAt: new Date() },
  })
}

Detection

ID: ecommerce-order-management.order-lifecycle.tracking-info
Severity: high
What to look for: Find the code path that transitions an order to shipped status. Count the tracking-related fields available on the order model or a linked shipments table — look for tracking_number, shipment_id, carrier, or tracking_url. Quote the exact field names found in the schema. Check whether the admin interface for marking orders as shipped includes a form field for entering tracking information. At least 1 tracking field must exist to pass.
Pass criteria: Orders in shipped status have or link to tracking information. At minimum 1 tracking field (tracking_number, shipment_id, or tracking_url) exists on the order model or a linked shipments table and is expected to be populated when marking an order shipped. The admin interface for shipping an order includes a tracking number input. A shipped handler that accepts no tracking data parameters does not count as pass.
Fail criteria: Orders can be marked as shipped with status alone — no mechanism exists to capture or store tracking information alongside the status change (0 tracking fields in schema). The admin "mark as shipped" action only updates the status field.
Skip (N/A) when: The project does not track shipments internally — it delegates all shipping and tracking to a third-party fulfillment or logistics platform that handles tracking independently, and the project only receives webhooks for status updates. No shipped status value exists in the codebase.
Detail on fail: "The admin 'Mark as Shipped' action updates order status to 'shipped' but does not accept or store a tracking number. 0 tracking fields (tracking_number, shipment_id, carrier) exist on the order model. Customers cannot be given tracking information."
Cross-reference: If tracking info is not captured here, the shipment-email notification check will also likely fail or produce a useless notification — a shipment email without tracking info is ineffective.

Remediation: Add tracking fields to your order model (in prisma/schema.prisma) and require them when marking an order shipped in lib/orders/shipping.ts:

// Schema addition (prisma/schema.prisma):
// trackingNumber  String?
// trackingCarrier String?
// shippedAt       DateTime?

// Shipping handler (lib/orders/shipping.ts):
export async function markOrderShipped(
  orderId: string,
  trackingNumber: string,
  carrier: string,
  actorId: string
) {
  if (!trackingNumber) {
    throw new Error('Tracking number is required to mark an order as shipped')
  }
  await transitionOrder(orderId, 'shipped', actorId)
  await db.orders.update({
    where: { id: orderId },
    data: { trackingNumber, trackingCarrier: carrier, shippedAt: new Date() },
  })
}

This ensures tracking data is captured at the moment of shipping and can be included in the shipment notification email to the customer.

Shipped status includes or links to tracking information

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Shipped status includes or links to tracking information

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History