Problem

The ENCODING_PATTERN regex in XmlReader.java was vulnerable to ReDoS (Regular Expression Denial of Service) attacks due to catastrophic backtracking. The pattern used a greedy quantifier (.*) that could cause exponential time complexity when processing malicious XML input:

Pattern.compile("<\\?xml.*encoding[\\s]*=[\\s]*((?:\".[^\"]*\")|(?:'.[^']*'))", Pattern.MULTILINE);

When the regex engine encounters XML with many characters between <?xml and encoding, it tries all possible combinations of .* matches, leading to polynomial time complexity and potential CPU exhaustion.

Solution

Changed the greedy quantifier to non-greedy (.*?) to prevent catastrophic backtracking:

Pattern.compile("<\\?xml.*?encoding[\\s]*=[\\s]*((?:\".[^\"]*\")|(?:'.[^']*'))", Pattern.MULTILINE);

The non-greedy quantifier matches the minimum number of characters needed, eliminating the exponential backtracking behavior while maintaining identical functional behavior.

Changes

• XmlReader.java: Changed .* to .*? in ENCODING_PATTERN (line 600)
• XmlStreamReaderTest.java: Added encodingPatternWithManyAttributes() test to validate the fix handles edge cases with multiple attributes and whitespace variations

Impact

• Fixes security vulnerability identified in code scanning alert
• No functional changes - all existing tests pass
• XmlStreamWriter.java automatically benefits as it references XmlReader.ENCODING_PATTERN
• Prevents potential DoS attacks via crafted XML input

Testing

• ✅ All 217 tests pass (216 existing + 1 new)
• ✅ Code formatting passes spotless check
• ✅ Full Maven build and verification succeeds
• ✅ New test validates various edge cases including multiple attributes and whitespace variations

Resolves the code scanning alert for polynomial regular expression used on uncontrolled data.

Fixes #50

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.