Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix: OR-API drift (C7/C9), StUF XXE (C6), multitenancy/brute-force/JSON fixes (H3/H4/H5/H7/L3)#664

Merged
rubenvdlinde merged 1 commit into
developmentfrom
fix/critical-remaining-security
May 27, 2026
Merged

fix: OR-API drift (C7/C9), StUF XXE (C6), multitenancy/brute-force/JSON fixes (H3/H4/H5/H7/L3)#664
rubenvdlinde merged 1 commit into
developmentfrom
fix/critical-remaining-security

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Security fixes

Closes #639 (C6 — StUF XML/XXE)
Closes #640 (C7 — ObjectService findObject drift)
Closes #642 (C9 — InspectionService no-persist)
Closes #645 (H3 — multitenancy fail-open)
Closes #646 (H4 — JSON auto-fix regex)
Closes #647 (H5 — DRC uniqueness check fail-open)
Closes #648 (H7 — share token lockout bypass)
Closes #654 (L3 — clientIds DoS)

Changes

C7 — OR API drift (37 call sites, 24 files)
All findObject/getObject-3-arg calls replaced with find(id, register:..., schema:...) across controllers, services, listeners, and MCP provider.

C9 — InspectionController persistence
captureLocation, addPhoto, and complete now fetch from OR by UUID, process, and save back. Adds inspection_schema config key.

C6 — StUF XXE / DoS
XML parsing uses LIBXML_NONET; 2 MB body limit; structured log args.

H3 — multitenancy fail-open
Removed _multitenancy: false from searchObjectsPaginated — OR tenant isolation now applies to ZGW list endpoints.

H4 — JSON auto-fix regex
Removed preg_replace JSON repair in getRequestBody; malformed JSON is rejected rather than silently mangled.

H5 — DRC uniqueness check fail-open
searchDuplicateRelation catch block changed from return false to return true (fail-closed for uniqueness constraint).

H7 — share token lockout bypass
recordFailedAttempt no longer resets failedAttempts to 0 on lockout; counter resets only on successful auth.

L3 — clientIds DoS
validateClientIdUniqueness rejects requests with more than 100 clientIds with HTTP 400.

Tests

All 158 existing unit tests pass.

…, multitenancy fail-open (H3/H4/H5), share lockout bypass (H7), AC clientIds DoS (L3)

- C7: Replace all findObject()/getObject(register,schema,id) calls with the
  correct find(id, register: ..., schema: ...) across 24 files (37 call sites)
- C9: InspectionController now fetches inspection from OR by UUID, passes to
  InspectionService for processing, and saves back — no more silent no-persist;
  adds 'inspection_schema' config key
- C6: StufController XML parsing adds LIBXML_NONET (blocks XXE network fetch);
  2 MB body limit against XML bomb; structured log args (no injection)
- H3: Remove _multitenancy: false from searchObjectsPaginated in ZgwService —
  OR tenant isolation now applies to ZGW list endpoints
- H4: Remove preg_replace JSON auto-fix in getRequestBody; malformed JSON is
  rejected rather than silently mangled through a regex transform
- H5: ZgwDrcRulesService.searchDuplicateRelation catch block changed from
  return false (allow-on-error) to return true (block-on-error / fail-closed)
- H7: CaseSharingService.recordFailedAttempt no longer resets failedAttempts
  to 0 on lockout — counter now only resets on successful auth (fixes brute-force
  window bypass)
- L3: AcController.validateClientIdUniqueness enforces max 100 clientIds per
  applicatie to prevent DoS via oversized arrays
@rubenvdlinde rubenvdlinde merged commit b7c77e1 into development May 27, 2026
@rubenvdlinde rubenvdlinde deleted the fix/critical-remaining-security branch May 27, 2026 17:32
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant