fix(detector): eliminate regex backtracking in Liquibase YAML patterns (#61)

SonarCloud S5998 (reliability: stack overflow on large input) + S5852
(security hotspot: ReDoS) both flagged the reluctant-outer quantifier
`(?:\s++[^\n]*+\n)*?` in LQ_CREATE_TABLE_YAML and LQ_ADD_FK_YAML. The
engine was free to backtrack through the reluctant `*?`.

Rewrite with negative-lookahead + possessive `*+`: intermediate lines
that would otherwise match the target key (tableName / baseTableName /
referencedTableName) are excluded up front, so the outer match
terminates deterministically exactly where the reluctant version did.
No semantic change for valid Liquibase YAML.

Adds a regression test exercising a 500-line pathological createTable
block — completes in <1s on the rewritten patterns; the pre-fix
reluctant walk would have scaled quadratically.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: aksOps

src/main/java/io/github/randomcodespace/iq/detector/sql/SqlMigrationDetector.java

@@ -142,12 +142,20 @@ public class SqlMigrationDetector extends AbstractRegexDetector {
                     + "[^>]*?\\breferencedTableName\\s*+=\\s*+\"(\\w++)\"");
 
     // -- Liquibase YAML patterns (regex-based; avoids pulling in SnakeYAML here) --
+    // Intermediate lines use a negative-lookahead + possessive `*+` instead of reluctant `*?`:
+    // no backtracking (prevents SonarCloud S5998 stack-overflow / S5852 ReDoS), same
+    // semantics — lines that *would* match the target key are excluded from the skip group,
+    // so the outer match terminates exactly where the reluctant version would have.
     private static final Pattern LQ_CREATE_TABLE_YAML = Pattern.compile(
-            "createTable\\s*+:[^\\n]*+\\n(?:\\s++[^\\n]*+\\n)*?\\s++tableName\\s*+:\\s*+([\\w\"']++)");
+            "createTable\\s*+:[^\\n]*+\\n"
+                    + "(?:(?!\\s++tableName\\s*+:)\\s++[^\\n]*+\\n)*+"
+                    + "\\s++tableName\\s*+:\\s*+([\\w\"']++)");
     private static final Pattern LQ_ADD_FK_YAML = Pattern.compile(
             "addForeignKeyConstraint\\s*+:[^\\n]*+\\n"
-                    + "(?:\\s++[^\\n]*+\\n)*?\\s++baseTableName\\s*+:\\s*+([\\w\"']++)[^\\n]*+\\n"
-                    + "(?:\\s++[^\\n]*+\\n)*?\\s++referencedTableName\\s*+:\\s*+([\\w\"']++)");
+                    + "(?:(?!\\s++baseTableName\\s*+:)\\s++[^\\n]*+\\n)*+"
+                    + "\\s++baseTableName\\s*+:\\s*+([\\w\"']++)[^\\n]*+\\n"
+                    + "(?:(?!\\s++referencedTableName\\s*+:)\\s++[^\\n]*+\\n)*+"
+                    + "\\s++referencedTableName\\s*+:\\s*+([\\w\"']++)");
 
     // -- Flyway version parsing --
     private static final Pattern FLYWAY_VERSION = Pattern.compile(

src/test/java/io/github/randomcodespace/iq/detector/sql/SqlMigrationDetectorTest.java

@@ -209,6 +209,42 @@ void liquibaseYamlChangeSetDetected() {
                         && e.getTarget().getId().endsWith(":invoices")));
     }
 
+    @Test
+    void liquibaseYamlChangeSet_largeIntermediateContent_completesQuickly() {
+        // Regression guard for SonarCloud S5998 / S5852 on LQ_*_YAML: the reluctant-outer
+        // `(?:\s++[^\n]*+\n)*?` patterns were rewritten with a negative-lookahead +
+        // possessive outer so stack/runtime cannot blow up on many indented lines.
+        // Pathological input: a createTable with 500 indented column lines preceding
+        // tableName — the pre-fix reluctant walk would scale quadratically.
+        StringBuilder columns = new StringBuilder();
+        for (int i = 0; i < 500; i++) {
+            columns.append("                                  - column_").append(i).append(": stub_value\n");
+        }
+        String yaml = """
+                databaseChangeLog:
+                  - changeSet:
+                      id: 1
+                      author: bob
+                      changes:
+                        - createTable:
+                """
+                + columns
+                + "                            tableName: wide_table\n";
+        DetectorContext ctx = new DetectorContext(
+                "src/main/resources/db/db.changelog-wide.yml", "yaml", yaml);
+
+        long start = System.nanoTime();
+        DetectorResult result = detector.detect(ctx);
+        long elapsedMs = (System.nanoTime() - start) / 1_000_000;
+
+        assertTrue(hasEntity(sqlEntitiesOf(result), "wide_table", "table"),
+                "wide_table must still be detected after the anti-backtracking rewrite");
+        // 2s is 100x the observed fast-path time; we only care that it doesn't blow up
+        // exponentially — the exact threshold isn't load-bearing.
+        assertTrue(elapsedMs < 2000,
+                "detection of wide_table should complete in under 2s, was " + elapsedMs + "ms");
+    }
+
     // -- Positive: Rails --
 
     @Test