github-advanced-security[bot] commented on code in PR #2479:
URL: https://github.com/apache/groovy/pull/2479#discussion_r3114917831
##########
subprojects/groovy-groovydoc/src/main/java/org/apache/groovy/antlr/GroovydocVisitor.java:
##########
@@ -190,23 +235,281 @@
return result;
}
+ /**
+ * GROOVY-8877: extract the first Javadoc-style comment block
+ * ({@code /** ... *}{@code /}) from the top of the source file, skipping
+ * line comments, plain block comments, whitespace, {@code package}
+ * declarations, and {@code import} declarations.
+ *
+ * <p>Lifting policy, by what follows the candidate comment:
+ * <ul>
+ * <li><b>package / import / another comment / end of file</b> — lift.
+ * These are unambiguous; the comment cannot belong to a following
+ * member because there isn't one.</li>
+ * <li><b>an annotation ({@code @Xxx})</b> — lift only if no member
+ * of the script class already owns the same comment content. This
+ * covers the {@code @BaseScript} / {@code @Grab} pattern where the
+ * annotated declaration is consumed by an AST transform and no
+ * member survives to carry the doc, while still avoiding duplication
+ * for cases like {@code @Override void foo()} where the parser
+ * attached the comment to a real method.</li>
+ * <li><b>anything else</b> (e.g. {@code def x = 42} which could be a
+ * local variable or a field/property, or a bare declaration) —
+ * don't lift. Groovy's script form makes it unreliable to tell
+ * these apart without full parsing, so we err toward preserving
+ * what the parser decided.</li>
+ * </ul>
+ *
+ * <p>Script authors who want a script-level doc should follow the
+ * convention of separating it with a package/import/comment or putting
+ * another Javadoc comment before the next member.
+ */
+ private String extractLeadingScriptDocContent(ClassNode scriptNode) {
+ String src;
+ try (Reader r = unit.getSource().getReader()) {
+ StringBuilder sb = new StringBuilder();
+ char[] buf = new char[8192];
+ int n;
+ while ((n = r.read(buf)) > 0) sb.append(buf, 0, n);
+ src = sb.toString();
+ } catch (IOException e) {
+ return "";
+ }
+ int i = 0, n = src.length();
+ while (i < n) {
+ char c = src.charAt(i);
+ if (Character.isWhitespace(c)) { i++; continue; }
+ if (c == '/' && i + 1 < n) {
+ char next = src.charAt(i + 1);
+ if (next == '/') {
+ int eol = src.indexOf('\n', i);
+ i = eol < 0 ? n : eol + 1;
+ continue;
+ }
+ if (next == '*') {
+ boolean isJavadoc = i + 2 < n && src.charAt(i + 2) == '*'
+ && (i + 3 >= n || src.charAt(i + 3) != '/');
+ int close = src.indexOf("*/", i + 2);
+ if (close < 0) return "";
+ if (isJavadoc) {
+ String full = src.substring(i, close + 2);
+ Matcher m = JAVADOC_COMMENT_PATTERN.matcher(full);
Review Comment:
## CodeQL / Polynomial regular expression used on uncontrolled data
This [regular expression](1) that depends on a [user-provided value](2) may
run slow on strings starting with '/**' and with many repetitions of '/**a'.
[Show more
details](https://github.com/apache/groovy/security/code-scanning/233)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
