From 1edcb3c746ae1d24a0d9aea1c59abd038b6b74a7 Mon Sep 17 00:00:00 2001 From: Spencer Schrock Date: Mon, 13 Mar 2023 17:37:02 -0700 Subject: [PATCH] fix: avoid infinite loops parsing Maven poms with syntax errors (#294) Resolves #293 Signed-off-by: Spencer Schrock --- pkg/lockfile/fixtures/maven/invalid-syntax.xml | 13 +++++++++++++ pkg/lockfile/parse-maven-lock.go | 5 ++++- pkg/lockfile/parse-maven-lock_test.go | 9 +++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 pkg/lockfile/fixtures/maven/invalid-syntax.xml diff --git a/pkg/lockfile/fixtures/maven/invalid-syntax.xml b/pkg/lockfile/fixtures/maven/invalid-syntax.xml new file mode 100644 index 0000000000..761a32c1ab --- /dev/null +++ b/pkg/lockfile/fixtures/maven/invalid-syntax.xml @@ -0,0 +1,13 @@ + + + <${Id}.version>${project.version} + + + + + io.netty + netty-all + 4.1.42.Final + + + diff --git a/pkg/lockfile/parse-maven-lock.go b/pkg/lockfile/parse-maven-lock.go index e24846a37a..acb402f0f7 100644 --- a/pkg/lockfile/parse-maven-lock.go +++ b/pkg/lockfile/parse-maven-lock.go @@ -76,7 +76,10 @@ func (p *MavenLockProperties) UnmarshalXML(d *xml.Decoder, start xml.StartElemen p.m = map[string]string{} for { - t, _ := d.Token() + t, err := d.Token() + if err != nil { + return err + } switch tt := t.(type) { case xml.StartElement: diff --git a/pkg/lockfile/parse-maven-lock_test.go b/pkg/lockfile/parse-maven-lock_test.go index 718c05f181..81d83ea0d0 100644 --- a/pkg/lockfile/parse-maven-lock_test.go +++ b/pkg/lockfile/parse-maven-lock_test.go @@ -23,6 +23,15 @@ func TestParseMavenLock_Invalid(t *testing.T) { expectPackages(t, packages, []lockfile.PackageDetails{}) } +func TestParseMavenLock_InvalidSyntax(t *testing.T) { + t.Parallel() + + packages, err := lockfile.ParseMavenLock("fixtures/maven/invalid-syntax.xml") + + expectErrContaining(t, err, "XML syntax error") + expectPackages(t, packages, []lockfile.PackageDetails{}) +} + func TestParseMavenLock_NoPackages(t *testing.T) { t.Parallel()