Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix(security): fail closed in ZgwService auth checks (CWE-863)#631

Merged
rubenvdlinde merged 1 commit into
developmentfrom
fix/gate8-failclose
May 26, 2026
Merged

fix(security): fail closed in ZgwService auth checks (CWE-863)#631
rubenvdlinde merged 1 commit into
developmentfrom
fix/gate8-failclose

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

What

consumerHasScope() and getConsumerAuthorisaties() in ZgwService caught \Throwable and returned a granting value on error — true (has-scope) and null (= unrestricted per the contract, the caller treats null as allow-all). So any exception during the authorisation check silently granted full access (OWASP A01 / CWE-863, gate-8 unsafe-auth-resolver).

Fix

Fail closed on error: return false / return [] (deny). Normal-path returns are unchanged — only the catch(\Throwable) paths flip grant→deny.

Note on gate-8

validateJwtAuth() is also flagged by gate-8 but its catch returns a 403 (already fail-closed); the return null is its success path. That's a gate false-positive addressed by a precision fix to gate-8 in hydra (only flag return null inside the catch block) — analogous to the gate-7 CORS-preflight refinement.

consumerHasScope() and getConsumerAuthorisaties() caught \Throwable and
returned a GRANTING value on error (true = has-scope; null = unrestricted),
so any exception during the authorisation check silently granted full access.
Now fail closed: return false / [] on error (deny). Normal-path returns are
unchanged. The remaining catch+return-null the gate flags is validateJwtAuth,
whose catch returns a 403 response (already fail-closed) — addressed by a
gate-8 precision fix in hydra (only flag return-null INSIDE the catch).
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant