fix: avoid infinite loops parsing Maven poms with syntax errors (#188)

G-Rath · web-flow · commit c988b2969d60 · 2023-04-28T08:06:28.000+12:00
diff --git a/pkg/lockfile/fixtures/maven/invalid-syntax.xml b/pkg/lockfile/fixtures/maven/invalid-syntax.xml
@@ -0,0 +1,13 @@
+<project>
+  <properties>
+    <${Id}.version>${project.version}</${Id}.version>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-all</artifactId>
+      <version>4.1.42.Final</version>
+    </dependency>
+  </dependencies>
+</project>
diff --git a/pkg/lockfile/parse-maven-lock.go b/pkg/lockfile/parse-maven-lock.go
@@ -72,7 +72,11 @@ func (p *MavenLockProperties) UnmarshalXML(d *xml.Decoder, start xml.StartElemen
 	p.m = map[string]string{}
 
 	for {
-		t, _ := d.Token()
+		t, err := d.Token()
+
+		if err != nil {
+			return fmt.Errorf("%w", err)
+		}
 
 		switch tt := t.(type) {
 		case xml.StartElement:
diff --git a/pkg/lockfile/parse-maven-lock_test.go b/pkg/lockfile/parse-maven-lock_test.go
@@ -23,6 +23,15 @@ func TestParseMavenLock_Invalid(t *testing.T) {
 	expectPackages(t, packages, []lockfile.PackageDetails{})
 }
 
+func TestParseMavenLock_InvalidSyntax(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParseMavenLock("fixtures/maven/invalid-syntax.xml")
+
+	expectErrContaining(t, err, "XML syntax error")
+	expectPackages(t, packages, []lockfile.PackageDetails{})
+}
+
 func TestParseMavenLock_NoPackages(t *testing.T) {
 	t.Parallel()
 
