This repository was archived by the owner on May 29, 2026. It is now read-only.
fix: OR-API drift (C7/C9), StUF XXE (C6), multitenancy/brute-force/JSON fixes (H3/H4/H5/H7/L3)#664
Merged
Conversation
…, multitenancy fail-open (H3/H4/H5), share lockout bypass (H7), AC clientIds DoS (L3) - C7: Replace all findObject()/getObject(register,schema,id) calls with the correct find(id, register: ..., schema: ...) across 24 files (37 call sites) - C9: InspectionController now fetches inspection from OR by UUID, passes to InspectionService for processing, and saves back — no more silent no-persist; adds 'inspection_schema' config key - C6: StufController XML parsing adds LIBXML_NONET (blocks XXE network fetch); 2 MB body limit against XML bomb; structured log args (no injection) - H3: Remove _multitenancy: false from searchObjectsPaginated in ZgwService — OR tenant isolation now applies to ZGW list endpoints - H4: Remove preg_replace JSON auto-fix in getRequestBody; malformed JSON is rejected rather than silently mangled through a regex transform - H5: ZgwDrcRulesService.searchDuplicateRelation catch block changed from return false (allow-on-error) to return true (block-on-error / fail-closed) - H7: CaseSharingService.recordFailedAttempt no longer resets failedAttempts to 0 on lockout — counter now only resets on successful auth (fixes brute-force window bypass) - L3: AcController.validateClientIdUniqueness enforces max 100 clientIds per applicatie to prevent DoS via oversized arrays
This was referenced May 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security fixes
Closes #639 (C6 — StUF XML/XXE)
Closes #640 (C7 — ObjectService findObject drift)
Closes #642 (C9 — InspectionService no-persist)
Closes #645 (H3 — multitenancy fail-open)
Closes #646 (H4 — JSON auto-fix regex)
Closes #647 (H5 — DRC uniqueness check fail-open)
Closes #648 (H7 — share token lockout bypass)
Closes #654 (L3 — clientIds DoS)
Changes
C7 — OR API drift (37 call sites, 24 files)
All findObject/getObject-3-arg calls replaced with find(id, register:..., schema:...) across controllers, services, listeners, and MCP provider.
C9 — InspectionController persistence
captureLocation, addPhoto, and complete now fetch from OR by UUID, process, and save back. Adds inspection_schema config key.
C6 — StUF XXE / DoS
XML parsing uses LIBXML_NONET; 2 MB body limit; structured log args.
H3 — multitenancy fail-open
Removed _multitenancy: false from searchObjectsPaginated — OR tenant isolation now applies to ZGW list endpoints.
H4 — JSON auto-fix regex
Removed preg_replace JSON repair in getRequestBody; malformed JSON is rejected rather than silently mangled.
H5 — DRC uniqueness check fail-open
searchDuplicateRelation catch block changed from return false to return true (fail-closed for uniqueness constraint).
H7 — share token lockout bypass
recordFailedAttempt no longer resets failedAttempts to 0 on lockout; counter resets only on successful auth.
L3 — clientIds DoS
validateClientIdUniqueness rejects requests with more than 100 clientIds with HTTP 400.
Tests
All 158 existing unit tests pass.