test(transformer): guard the maxEntityCount entity-expansion cap (#239)#242
Merged
Merged
Conversation
createUslmParser sets processEntities.maxEntityCount=128 to bound DTD internal entities (billion-laughs / entity-expansion DoS) on untrusted XML, but the control had no test, so a refactor could silently raise or drop it. Add a test that defines 130 entities (above the cap) and asserts parseUslmXml rejects it, plus a sanity case that an ordinary document still parses. The payload is tiny, so if the cap were removed the document would parse under fast-xml-parser's default (1000) and this test would fail — catching the regression without OOM. Verified the guard by transiently raising the cap to 100000 (test fails) and reverting. Closes #239 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
createUslmParserconfigures fast-xml-parser withprocessEntities: { maxEntityCount: 128 }to bound DTD internal-entity definitions (billion-laughs / entity-expansion DoS) on untrusted upstream XML — but that control had no test, so a future refactor of the parser options could silently raise or remove it.Test
Adds
entity-expansion.test.ts:parseUslmXmlreturnserr.<uscDoc>still parses (ok), so the cap doesn't reject legitimate input.The payload is tiny (130 short definitions), so if the cap were ever removed the document would parse under fast-xml-parser's default (
maxEntityCount: 1000) and the bomb test would fail — catching the regression with no OOM risk.Verification
100000makes the bomb test fail; reverted.Test-only change. Closes #239