fix: limit LWP external entity response size and add timeout

[toddr-bot]

Summary

The lwp_ext_ent_handler fetched external entity content via LWP with no size limit or timeout, enabling denial-of-service by pointing external entities at extremely large or slow remote resources.

This adds LWP_MaxEntitySize (default 1 MB) and LWP_Timeout (default 30s) constructor options that configure the internal LWP::UserAgent. Responses truncated by the size limit are rejected with a clear parse error. Set LWP_MaxEntitySize => 0 to restore the previous unlimited behavior.

Fixes #276

Changes

• Parser/LWPExternEnt.pl: Apply max_size and timeout to the UserAgent; detect and reject truncated responses via Client-Aborted header
• Parser.pm: Document LWP_MaxEntitySize and LWP_Timeout options in both the constructor options list and SECURITY section
• t/lwp_entity_limits.t: 9 tests covering defaults, custom values, truncation detection, limit disabling, and HTTP error passthrough

Test plan

• All 9 new tests pass (mock LWP to verify UA configuration and truncation handling)
• Full test suite passes (64 files, 736 tests)
• Backward compatible: no defaults changed for users who set LWP_MaxEntitySize => 0

---

Generated by Kōan /fix

---

Quality Report

Changes: 4 files changed, 217 insertions(+)

Code scan: clean

Tests: passed (OK)

Branch hygiene: clean

Generated by Kōan post-mission quality pipeline

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.54%. Comparing base (ab2416c) to head (dcd21e3).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #296      +/-   ##
==========================================
+ Coverage   76.40%   76.54%   +0.14%     
==========================================
  Files           1        1              
  Lines        1102     1113      +11     
  Branches      346      351       +5     
==========================================
+ Hits          842      852      +10     
  Misses         52       52              
- Partials      208      209       +1     

Flag	Coverage Δ
perl	76.54% <ø> (+0.14%)	⬆️
xs	76.54% <ø> (+0.14%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5a28ad1...dcd21e3. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.