Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.
This repository was archived by the owner on May 29, 2026. It is now read-only.

[LOW] L3: applicatieToConsumer accepts unbounded clientIds array — minor authenticated DoS amplification #656

Description

@rubenvdlinde

Severity: LOW

Location: lib/Service/ZgwService.php (applicatieToConsumer)

Description:
applicatieToConsumer accepts the clientIds array from the incoming request body with no length bound. An authenticated caller can submit a request with thousands of clientIds entries, causing the service to:

  • Allocate a large array in memory.
  • Perform a database lookup for each entry in a loop.
  • Potentially exhaust PHP memory or cause a slow query if each lookup hits the DB.

While this requires a valid authenticated session (lowering the risk), it is still an unnecessary amplification vector on a shared Nextcloud instance.

Suggested fix:
Add a maximum length check on the clientIds array:

if (count($clientIds) > 100) {
    return new JSONResponse(['detail' => 'clientIds array exceeds maximum length of 100.'], 400);
}

Adjust the limit to reflect the realistic maximum number of client IDs per applicatie.

Source: deep team-reviewer pass 2026-05-27

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions