fix(billing): harden server actions against open redirect and runId abuse (#2217)

- Remove returnUrl/returnBaseUrl parameters from subscribeToPentestPlan
  and createBillingPortalSession; URLs are now computed server-side from
  env vars + request host, preventing open-redirect phishing via direct
  server action invocation
- Validate runId in checkAndChargePentestBilling against the DB to ensure
  the run exists and belongs to the org, preventing repeated overage
  charges via arbitrary fabricated runId strings
- Remove duplicate PageLayout/PageHeader from billing page (layout
  already provides them for all settings routes)

Co-authored-by: Claudio Fuentes <claudio@trycomp.ai>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 3 people

apps/app/src/app/(app)/[orgId]/security/penetration-tests/actions/billing.ts

@@ -16,11 +16,19 @@ async function requireOrgMember(orgId: string): Promise<void> {
   }
 }
 
+async function getOrgBillingUrl(orgId: string): Promise<string> {
+  const requestHeaders = await headers();
+  const host = requestHeaders.get('host') ?? '';
+  const proto = host.startsWith('localhost') ? 'http' : 'https';
+  const origin = env.NEXT_PUBLIC_BETTER_AUTH_URL ?? `${proto}://${host}`;
+  return `${origin}/${orgId}/settings/billing`;
+}
+
 export async function subscribeToPentestPlan(
   orgId: string,
-  returnBaseUrl: string,
 ): Promise<{ url: string }> {
   await requireOrgMember(orgId);
+  const returnBaseUrl = await getOrgBillingUrl(orgId);
 
   if (!stripe) {
     throw new Error('Stripe is not configured.');
@@ -170,9 +178,9 @@ export async function handleSubscriptionSuccess(
 
 export async function createBillingPortalSession(
   orgId: string,
-  returnUrl: string,
 ): Promise<{ url: string }> {
   await requireOrgMember(orgId);
+  const returnUrl = await getOrgBillingUrl(orgId);
 
   if (!stripe) {
     throw new Error('Stripe is not configured.');
@@ -197,6 +205,15 @@ export async function createBillingPortalSession(
 export async function checkAndChargePentestBilling(orgId: string, runId: string): Promise<void> {
   await requireOrgMember(orgId);
 
+  // Verify the run exists and belongs to this org to prevent arbitrary runId abuse.
+  const run = await db.securityPenetrationTestRun.findUnique({
+    where: { id: runId },
+    select: { organizationId: true },
+  });
+  if (!run || run.organizationId !== orgId) {
+    throw new Error('Run not found.');
+  }
+
   const subscription = await db.pentestSubscription.findUnique({
     where: { organizationId: orgId },
     include: { organizationBilling: true },

apps/app/src/app/(app)/[orgId]/settings/billing/page.tsx

@@ -1,7 +1,6 @@
-import { env } from '@/env.mjs';
 import { auth } from '@/utils/auth';
 import { db } from '@db';
-import { Button, PageHeader, PageLayout } from '@trycompai/design-system';
+import { Button } from '@trycompai/design-system';
 import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@comp/ui/card';
 import { headers } from 'next/headers';
 import type { Metadata } from 'next';
@@ -77,20 +76,8 @@ export default async function BillingPage({ params, searchParams }: BillingPageP
         })
       : null;
 
-  // Prefer the explicit base URL env var; fall back to the request origin so
-  // Stripe always receives an absolute URL (relative URLs are rejected).
-  const requestHeaders = await headers();
-  const host = requestHeaders.get('host') ?? '';
-  const proto = host.startsWith('localhost') ? 'http' : 'https';
-  const origin = env.NEXT_PUBLIC_BETTER_AUTH_URL ?? `${proto}://${host}`;
-  const billingUrl = `${origin}/${orgId}/settings/billing`;
-
   return (
-    <PageLayout>
-      <PageHeader title="Billing">
-        Manage your subscriptions and payment methods.
-      </PageHeader>
-
+    <div className="space-y-6">
       {successMessage && (
         <div className="rounded-md bg-green-50 border border-green-200 p-4 text-green-800 text-sm">
           {successMessage}
@@ -119,7 +106,7 @@ export default async function BillingPage({ params, searchParams }: BillingPageP
               <form
                 action={async () => {
                   'use server';
-                  const { url } = await createBillingPortalSession(orgId, billingUrl);
+                  const { url } = await createBillingPortalSession(orgId);
                   redirect(url);
                 }}
               >
@@ -184,7 +171,7 @@ export default async function BillingPage({ params, searchParams }: BillingPageP
             <form
               action={async () => {
                 'use server';
-                const { url } = await subscribeToPentestPlan(orgId, billingUrl);
+                const { url } = await subscribeToPentestPlan(orgId);
                 redirect(url);
               }}
             >
@@ -193,7 +180,7 @@ export default async function BillingPage({ params, searchParams }: BillingPageP
           )}
         </CardContent>
       </Card>
-    </PageLayout>
+    </div>
   );
 }