From c988b2969d604c8ec303abe8878704abf633d8a5 Mon Sep 17 00:00:00 2001
From: Gareth Jones <Jones258@Gmail.com>
Date: Fri, 28 Apr 2023 08:06:28 +1200
Subject: [PATCH] fix: avoid infinite loops parsing Maven poms with syntax
 errors (#188)

---
 pkg/lockfile/fixtures/maven/invalid-syntax.xml | 13 +++++++++++++
 pkg/lockfile/parse-maven-lock.go               |  6 +++++-
 pkg/lockfile/parse-maven-lock_test.go          |  9 +++++++++
 3 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 pkg/lockfile/fixtures/maven/invalid-syntax.xml

diff --git a/pkg/lockfile/fixtures/maven/invalid-syntax.xml b/pkg/lockfile/fixtures/maven/invalid-syntax.xml
new file mode 100644
index 00000000..761a32c1
--- /dev/null
+++ b/pkg/lockfile/fixtures/maven/invalid-syntax.xml
@@ -0,0 +1,13 @@
+<project>
+  <properties>
+    <${Id}.version>${project.version}</${Id}.version>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-all</artifactId>
+      <version>4.1.42.Final</version>
+    </dependency>
+  </dependencies>
+</project>
diff --git a/pkg/lockfile/parse-maven-lock.go b/pkg/lockfile/parse-maven-lock.go
index 49abe841..5c23f3b9 100644
--- a/pkg/lockfile/parse-maven-lock.go
+++ b/pkg/lockfile/parse-maven-lock.go
@@ -72,7 +72,11 @@ func (p *MavenLockProperties) UnmarshalXML(d *xml.Decoder, start xml.StartElemen
 	p.m = map[string]string{}
 
 	for {
-		t, _ := d.Token()
+		t, err := d.Token()
+
+		if err != nil {
+			return fmt.Errorf("%w", err)
+		}
 
 		switch tt := t.(type) {
 		case xml.StartElement:
diff --git a/pkg/lockfile/parse-maven-lock_test.go b/pkg/lockfile/parse-maven-lock_test.go
index c6d16f7c..3490916f 100644
--- a/pkg/lockfile/parse-maven-lock_test.go
+++ b/pkg/lockfile/parse-maven-lock_test.go
@@ -23,6 +23,15 @@ func TestParseMavenLock_Invalid(t *testing.T) {
 	expectPackages(t, packages, []lockfile.PackageDetails{})
 }
 
+func TestParseMavenLock_InvalidSyntax(t *testing.T) {
+	t.Parallel()
+
+	packages, err := lockfile.ParseMavenLock("fixtures/maven/invalid-syntax.xml")
+
+	expectErrContaining(t, err, "XML syntax error")
+	expectPackages(t, packages, []lockfile.PackageDetails{})
+}
+
 func TestParseMavenLock_NoPackages(t *testing.T) {
 	t.Parallel()