Security Vulnerability - Action Required: Uncontrolled Resource Consumption vulnerability may in your project #5
Description
Hi,
We have detected that your project of the newest version may have the Uncontrolled Resource Consumption vulnerability in the function scanPI in the file src/org/cyberneko/html/HTMLScanner.java.
This function includes several functions related to parsing HTML/XML, such as scanPI, scanEntityRef, and scanAttribute. These functions process input from a stream (fCurrentEntity) and build strings using StringBuffer. The main concern for CWE-400 is uncontrolled resource consumption through memory allocation or infinite loops. The functions use loops to read characters until specific delimiters are found (e.g., ';', '>', or quotes), but they include checks for end-of-file (-1) and rewind mechanisms to prevent infinite loops. However, the functions do not impose explicit limits on the size of the input being processed (e.g., the length of attribute values or entity references). For instance, scanEntityRef appends characters to a buffer without a size cap, which could lead to excessive memory allocation if a malicious input provides a very long entity reference without a semicolon. Similarly, scanAttribute processes attribute values in loops without size constraints. While there are no obvious infinite loops due to the EOF checks, the lack of bounds on string growth could result in memory exhaustion when processing large inputs, aligning with CWE-400 patterns like unrestricted data processing.
Would you can help to check if this bug is true? If it's true, I'd like to open a PR for that if necessary. Thank you for your effort and patience!