support maxEntityCount

Author: amitguptagwl

docs/v4/5.Entities.md

@@ -60,6 +60,7 @@ const parser = new XMLParser({
     maxEntitySize: 10000,       // Max 10KB per entity definition
     maxTotalExpansions: 1000,   // Max 1000 entity replacements total
     maxExpandedLength: 100000   // Max 100KB total expanded content
+    maxEntityCount: 100         // Max 100 entities allowed
   }
 });
 ```
@@ -90,6 +91,7 @@ FXP includes multiple defense layers against entity expansion attacks:
 2. **Expansion Count Limit:** Prevents too many entity replacements
 3. **Total Size Limit:** Prevents output from growing too large
 4. **Parameter Entity Blocking:** Entities containing `&` are automatically ignored
+5. **Entity Count Limit:** Prevents too many entities from being defined
 
 These protections defend against:
 - Billion Laughs attack (exponential entity expansion)

lib/fxp.d.cts

@@ -34,6 +34,13 @@ type ProcessEntitiesOptions = {
    */
   maxExpandedLength?: number;
 
+  /**
+   * Maximum number of entities allowed in the XML
+   * 
+   * Defaults to `100`
+   */
+  maxEntityCount?: number;
+
   /**
    * Array of tag names where entity replacement is allowed.
    * If null, entities are replaced in all tags.

src/fxp.d.ts

@@ -34,6 +34,13 @@ export type ProcessEntitiesOptions = {
    */
   maxExpandedLength?: number;
 
+  /**
+   * Maximum number of entities allowed in the XML
+   * 
+   * Defaults to `100`
+   */
+  maxEntityCount?: number;
+
   /**
    * Array of tag names where entity replacement is allowed.
    * If null, entities are replaced in all tags.

src/xmlparser/DocTypeReader.js

@@ -7,8 +7,9 @@ export default class DocTypeReader {
     }
 
     readDocType(xmlData, i) {
-
         const entities = Object.create(null);
+        let entityCount = 0;
+
         if (xmlData[i + 3] === 'O' &&
             xmlData[i + 4] === 'C' &&
             xmlData[i + 5] === 'T' &&
@@ -26,11 +27,19 @@ export default class DocTypeReader {
                         let entityName, val;
                         [entityName, val, i] = this.readEntityExp(xmlData, i + 1, this.suppressValidationErr);
                         if (val.indexOf("&") === -1) { //Parameter entities are not supported
+                            if (this.options.enabled !== false &&
+                                this.options.maxEntityCount &&
+                                entityCount >= this.options.maxEntityCount) {
+                                throw new Error(
+                                    `Entity count (${entityCount + 1}) exceeds maximum allowed (${this.options.maxEntityCount})`
+                                );
+                            }
                             const escaped = entityName.replace(/[.\-+*:]/g, '\\.');
                             entities[entityName] = {
                                 regx: RegExp(`&${escaped};`, "g"),
                                 val: val
                             };
+                            entityCount++;
                         }
                     }
                     else if (hasBody && hasSeq(xmlData, "!ELEMENT", i)) {

src/xmlparser/OptionsBuilder.js

@@ -56,6 +56,7 @@ function normalizeProcessEntities(value) {
       maxExpansionDepth: 10,
       maxTotalExpansions: 1000,
       maxExpandedLength: 100000,
+      maxEntityCount: 100,
       allowedTags: null,
       tagFilter: null
     };
@@ -69,6 +70,7 @@ function normalizeProcessEntities(value) {
       maxExpansionDepth: value.maxExpansionDepth ?? 10,
       maxTotalExpansions: value.maxTotalExpansions ?? 1000,
       maxExpandedLength: value.maxExpandedLength ?? 100000,
+      maxEntityCount: value.maxEntityCount ?? 100,
       allowedTags: value.allowedTags ?? null,
       tagFilter: value.tagFilter ?? null
     };