You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description: applicatieToConsumer accepts the clientIds array from the incoming request body with no length bound. An authenticated caller can submit a request with thousands of clientIds entries, causing the service to:
Allocate a large array in memory.
Perform a database lookup for each entry in a loop.
Potentially exhaust PHP memory or cause a slow query if each lookup hits the DB.
While this requires a valid authenticated session (lowering the risk), it is still an unnecessary amplification vector on a shared Nextcloud instance.
Suggested fix:
Add a maximum length check on the clientIds array:
if (count($clientIds) > 100) {
returnnewJSONResponse(['detail' => 'clientIds array exceeds maximum length of 100.'], 400);
}
Adjust the limit to reflect the realistic maximum number of client IDs per applicatie.
Severity: LOW
Location:
lib/Service/ZgwService.php(applicatieToConsumer)Description:
applicatieToConsumeraccepts theclientIdsarray from the incoming request body with no length bound. An authenticated caller can submit a request with thousands ofclientIdsentries, causing the service to:While this requires a valid authenticated session (lowering the risk), it is still an unnecessary amplification vector on a shared Nextcloud instance.
Suggested fix:
Add a maximum length check on the
clientIdsarray:Adjust the limit to reflect the realistic maximum number of client IDs per applicatie.
Source: deep team-reviewer pass 2026-05-27