Description
Implementation of method copyCurrentStructure in TokenBuffer is reasonable for most content, but possibly problematic for deeply nested structures, and especially for intentionally crafted content for possible DoS.
It would be good to address this concern either by converting current recursion-based implementation with iteration and simple stack (since amount of state is trivial relative to stack frames needed for method calls), or by adding suitable nesting limit.
Note that one possible concern for max-depth approach is that value to needs to be relatively high to cover legit use cases; and although it'd be possible to expose max value as configuration it would not be a good fit for any existing limits.
And in fact it would be better to address such limits as part of more general input-content complexity limitation (similar to how Woodstox/Stax has a nice set of maximum limits for lengths of various things, attribute counts, nesting); so for just this purpose it is probably better to try to avoid needing such limits.