From 4ae9720d0c0fcb213048be759e575721dac2ef43 Mon Sep 17 00:00:00 2001
From: Md_Mushfiqur Rahim <20mahin20201@gmail.com>
Date: Wed, 27 May 2026 08:09:58 +0000
Subject: [PATCH 1/2] fix(validator): prevent XML validator hang on recursive
 DTD entity expansion

The XML validator uses context.Background() when calling helium's DTD parser, which means a malicious or accidental XML file with recursive entity definitions will cause unbounded CPU usage and hang forever.

Fix by wrapping the parse call in a 10-second context.WithTimeout so the parser aborts and returns a validation error instead of hanging.
---
 CHANGELOG.md         | 1 +
 pkg/validator/xml.go | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9d0ac8ab..4a23d968 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,6 +23,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- XML validator no longer hangs on recursive DTD entity expansion (closes #503).
 - TOML files with duplicate keys are now rejected as invalid (closes #504).
 - Repeating the same `--reporter` type with different output paths now writes each requested output.
 - `--schema-map` now warns instead of silently skipping files whose validators do not support external schema validation.
diff --git a/pkg/validator/xml.go b/pkg/validator/xml.go
index 4fed0828..d03194c1 100644
--- a/pkg/validator/xml.go
+++ b/pkg/validator/xml.go
@@ -9,6 +9,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/lestrrat-go/helium"
 	"github.com/lestrrat-go/helium/xsd"
@@ -30,7 +31,8 @@ func (XMLValidator) ValidateXSD(b []byte, schemaPath string) (bool, error) {
 }
 
 func (XMLValidator) ValidateSyntax(b []byte) (bool, error) {
-	ctx := context.Background()
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
 	_, err := helium.NewParser().ValidateDTD(true).Parse(ctx, b)
 	if err != nil {
 		errMsg := err.Error()

From debb6b49cb6993fa6d0390e12ddd01f4faa36d52 Mon Sep 17 00:00:00 2001
From: Md_Mushfiqur Rahim <20mahin20201@gmail.com>
Date: Thu, 28 May 2026 01:35:20 +0000
Subject: [PATCH 2/2] test(xml): add regression test for recursive DTD entity
 hang

---
 pkg/validator/validator_test.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pkg/validator/validator_test.go b/pkg/validator/validator_test.go
index 4e3178c0..d169b7cd 100644
--- a/pkg/validator/validator_test.go
+++ b/pkg/validator/validator_test.go
@@ -1180,3 +1180,16 @@ func Test_JustfileValidateValid(t *testing.T) {
 	require.True(t, valid)
 	require.NoError(t, err)
 }
+
+func Test_XMLRecursiveEntityDoesNotHang(t *testing.T) {
+	t.Parallel()
+	recursive := []byte(`<?xml version="1.0"?>
+<!DOCTYPE foo [
+<!ENTITY a "&b;">
+<!ENTITY b "&a;">
+]>
+<foo>&a;</foo>`)
+	valid, err := XMLValidator{}.ValidateSyntax(recursive)
+	require.False(t, valid)
+	require.Error(t, err)
+}