Summary
traceSymbol in both JavaDetectionEngine and PythonDetectionEngine follows variable initializer chains recursively but has no cycle detection. A self-referential or mutually recursive assignment (e.g. x = x) would cause a StackOverflowError at analysis time.
Steps to reproduce
// hypothetical pathological input
SomeType x = x; // self-referential
Expected behavior
Detection gracefully stops at the cycle and returns the last seen symbol.
Suggested fix
Track visited symbols in a Set and return early if a symbol has already been seen during the current trace.
private Symbol traceSymbol(Symbol symbol, Set<Symbol> visited) {
if (!visited.add(symbol)) return symbol;
// ... existing logic
}Context
Identified during review of PR #390. The fix for intermediary variable detection intentionally left this out to keep the scope minimal. Tracked here as a follow-up.
Summary
traceSymbolin bothJavaDetectionEngineandPythonDetectionEnginefollows variable initializer chains recursively but has no cycle detection. A self-referential or mutually recursive assignment (e.g.x = x) would cause aStackOverflowErrorat analysis time.Steps to reproduce
Expected behavior
Detection gracefully stops at the cycle and returns the last seen symbol.
Suggested fix
Track visited symbols in a
Setand return early if a symbol has already been seen during the current trace.Context
Identified during review of PR #390. The fix for intermediary variable detection intentionally left this out to keep the scope minimal. Tracked here as a follow-up.