From 278145348d45eed69120088d055a852d4d2a5a26 Mon Sep 17 00:00:00 2001
From: "Bisht, Shubham" <Shubham.Bisht@netapp.com>
Date: Wed, 12 Nov 2025 15:03:14 +0530
Subject: [PATCH 1/3] fix: Replaced unbounded <.*?> pattern with safe <[^>]*>
 to prevent CodeQL security issue

---
 src/main/java/com/solidfire/core/client/ServiceBase.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/com/solidfire/core/client/ServiceBase.java b/src/main/java/com/solidfire/core/client/ServiceBase.java
index 2532e92d..c29ffd8a 100644
--- a/src/main/java/com/solidfire/core/client/ServiceBase.java
+++ b/src/main/java/com/solidfire/core/client/ServiceBase.java
@@ -212,7 +212,7 @@ protected <TResult> TResult decodeResponse(String response, Class<TResult> resul
                 throw new ApiServerException("Not Found", "404", matcher.group(1));
             }
             // Removes the html tags from the response.
-            response.replaceAll("<.*?>", "");
+            response.replaceAll("<[^>]*>", "");
             throw new ApiException(format("There was a problem parsing the response from the server. ( response=%s )", response), e);
         } catch (NullPointerException | JsonParseException e) {
             log.debug(response);

From e40b37069098296207f58e712ad3ce046e3a8bde Mon Sep 17 00:00:00 2001
From: "Bisht, Shubham" <Shubham.Bisht@netapp.com>
Date: Wed, 12 Nov 2025 15:05:25 +0530
Subject: [PATCH 2/3] fix: Replaced unbounded <p> (.*?)</p> pattern with safe
 <p>(?:(?!</p>).)*</p> to prevent CodeQL security issue

---
 src/main/java/com/solidfire/core/client/ServiceBase.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/com/solidfire/core/client/ServiceBase.java b/src/main/java/com/solidfire/core/client/ServiceBase.java
index c29ffd8a..36c714dd 100644
--- a/src/main/java/com/solidfire/core/client/ServiceBase.java
+++ b/src/main/java/com/solidfire/core/client/ServiceBase.java
@@ -206,7 +206,7 @@ protected <TResult> TResult decodeResponse(String response, Class<TResult> resul
 
             return result;
         } catch (ClassCastException e) {
-            final Pattern pattern = Pattern.compile("<p> (.*?)</p>");
+            final Pattern pattern = Pattern.compile("<p>(?:(?!</p>).)*</p>");
             final Matcher matcher = pattern.matcher(response);
             if (matcher.find()) {
                 throw new ApiServerException("Not Found", "404", matcher.group(1));

From 8c5344ec1ba821d18ff5c7faed5401c1234a7234 Mon Sep 17 00:00:00 2001
From: "Bisht, Shubham" <Shubham.Bisht@netapp.com>
Date: Fri, 14 Nov 2025 12:44:56 +0530
Subject: [PATCH 3/3] fix: polynomial DoS issue using jsoup html parser

---
 project/common.scala                           |  5 ++++-
 .../com/solidfire/core/client/ServiceBase.java | 18 ++++++++++--------
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/project/common.scala b/project/common.scala
index 7eebf35b..e7da3cb0 100644
--- a/project/common.scala
+++ b/project/common.scala
@@ -90,7 +90,8 @@ object Config {
       Dependencies.mockito,
       Dependencies.scalatest,
       Dependencies.scalacheck,
-      Dependencies.junit
+      Dependencies.junit,
+      Dependencies.jsoup
     )
   )
 
@@ -125,6 +126,7 @@ object Version {
   val jodaConvert     = "1.8.1"
   val jodaTime        = "2.9.3"
   val base64          = "2.3.9"
+  val jsoup         = "1.17.2"
 }
 
 object Dependencies {
@@ -138,6 +140,7 @@ object Dependencies {
   lazy val mockito        = "org.mockito" % "mockito-all" % Version.mockito % "test"
   lazy val scalacheck     = "org.scalacheck" %% "scalacheck" % Version.scalacheck % "test"
   lazy val junit          = "com.novocode" % "junit-interface" % Version.junit % "test"
+  lazy val jsoup          = "org.jsoup" % "jsoup" % Version.jsoup
 }
 
 
diff --git a/src/main/java/com/solidfire/core/client/ServiceBase.java b/src/main/java/com/solidfire/core/client/ServiceBase.java
index 36c714dd..5b1a542c 100644
--- a/src/main/java/com/solidfire/core/client/ServiceBase.java
+++ b/src/main/java/com/solidfire/core/client/ServiceBase.java
@@ -32,8 +32,10 @@
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.atomic.AtomicLong;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
+
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document;
+import org.jsoup.nodes.Element;
 
 import static java.lang.String.format;
 
@@ -206,14 +208,14 @@ protected <TResult> TResult decodeResponse(String response, Class<TResult> resul
 
             return result;
         } catch (ClassCastException e) {
-            final Pattern pattern = Pattern.compile("<p>(?:(?!</p>).)*</p>");
-            final Matcher matcher = pattern.matcher(response);
-            if (matcher.find()) {
-                throw new ApiServerException("Not Found", "404", matcher.group(1));
+            Document parsedResponse = Jsoup.parse(response);
+            Element pTag = parsedResponse.selectFirst("p");
+            if(pTag != null) {
+                throw new ApiServerException("Not Found", "404", pTag.text());
             }
             // Removes the html tags from the response.
-            response.replaceAll("<[^>]*>", "");
-            throw new ApiException(format("There was a problem parsing the response from the server. ( response=%s )", response), e);
+            String responseText = parsedResponse.text();
+            throw new ApiException(format("There was a problem parsing the response from the server. ( response=%s )", responseText), e);
         } catch (NullPointerException | JsonParseException e) {
             log.debug(response);
             throw new ApiException(format("There was a problem parsing the response from the server. ( response=%s )", response), e);