Add guard to limit amount of namespaces and transforms

Author: tvdijen

src/Constants.php

@@ -163,6 +163,13 @@ class Constants extends \SimpleSAML\XML\Constants
 
     public const string XMLENC_EXI = 'http://www.w3.org/2009/xmlenc11#EXI';
 
+    /**
+     * Library default limits
+     */
+    public const int MAX_TRANSFORMS = 2;
+
+    public const int MAX_XPATH_NAMESPACES = 20;
+
 
     /** @var string[] */
     public static array $KEY_WRAP_ALGORITHMS = [

src/XML/CanonicalizableElementTrait.php

@@ -5,6 +5,7 @@
 namespace SimpleSAML\XMLSecurity\XML;
 
 use DOMElement;
+use SimpleSAML\XMLSecurity\Assert\Assert;
 use SimpleSAML\XMLSecurity\Constants as C;
 use SimpleSAML\XMLSecurity\Exception\CanonicalizationFailedException;
 use SimpleSAML\XMLSecurity\Exception\ReferenceValidationFailedException;
@@ -120,6 +121,13 @@ public function processTransforms(
         Transforms $transforms,
         DOMElement $data,
     ): string {
+        Assert::maxCount(
+            $transforms->getTransform(),
+            C::MAX_TRANSFORMS,
+            ReferenceValidationFailedException::class,
+            'Too many transforms.',
+        );
+
         $canonicalMethod = C::C14N_EXCLUSIVE_WITHOUT_COMMENTS;
         $arXPath = null;
         $prefixList = null;