Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix(security+nc34): symfony CVEs, \OC::$server accessors, array-shape bug#317

Merged
rubenvdlinde merged 1 commit into
developmentfrom
fix/quality-findings
May 26, 2026
Merged

fix(security+nc34): symfony CVEs, \OC::$server accessors, array-shape bug#317
rubenvdlinde merged 1 commit into
developmentfrom
fix/quality-findings

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Summary

This PR resolves three categories of code-quality and security findings from the fleet quality sweep:

1. Symfony CVEs (security) — 4 advisories fixed

  • CVE-2026-45068 (symfony/mailer): Argument Injection via Sendmail dash-prefixed recipient
  • CVE-2026-45754 (symfony/mailjet-mailer): Unauthenticated webhook event injection
  • CVE-2026-45070 (symfony/mime): Email header injection via non-token characters
  • CVE-2026-45067 (symfony/mime): CRLF injection via Symfony\Component\Mime\Address
  • Bumped symfony/mailer → 6.4.40, symfony/mime → 7.4.12, symfony/mailjet-mailer → 6.4.40 via composer update --with-all-dependencies. composer audit returns clean.

2. NC34 legacy \OC::$server->get*() accessors replaced (15 calls → constructor-injected interfaces)

  • SoftwareCatalogueService: injected IUserSession, IUserManager, IGroupManager (replaced getUserSession() ×1, getUserManager() ×2, getGroupManager() ×2)
  • SettingsService: injected IGroupManager (replaced getGroupManager() ×3); also fixed two $group !== false checks that should be !== null (now that IGroupManager::createGroup() is properly typed)
  • HierarchyHandler: injected IUserManager, IGroupManager (replaced getUserManager() ×2, getGroupManager() ×1)
  • ContactPersonHandler: replaced \OC::$server->getConfig()->setUserValue() and getUserValue() with the already-injected IConfig $config (×2)
  • ArchiMateImportService: injected IDBConnection (replaced getDatabaseConnection() ×1)
  • Application.php: updated all explicit DI registrations to pass the new constructor params

3. PHPStan array-shape bug in OrganizationSyncService

  • lib/Service/OrganizationSyncService.php:2585-2586: added /** @var array<string, mixed> */ annotation on $contactEntityObject so PHPStan no longer narrows the type to array{username: string} after the ['username'] assignment, fixing the two "offset 'organisatie' does not exist" errors.

Test plan

  • composer audit returns no advisories
  • php -l on all edited files — no syntax errors
  • vendor/bin/phpstan analyse — the 2 OrganizationSyncService errors gone; no new errors introduced (SoftwareCatalogAdmin unused-property pre-exists)
  • Deploy to test environment and run a contactpersoon create/update flow to verify DI wiring is correct

…ved \OC::\$server accessors, fix OrganizationSyncService array shape
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant