Skip to content

Spec 3.3.0#125

Merged
felipestanzani merged 15 commits into
toon-format:mainfrom
jenspapenhagen:spec3.2
May 21, 2026
Merged

Spec 3.3.0#125
felipestanzani merged 15 commits into
toon-format:mainfrom
jenspapenhagen:spec3.2

Conversation

@jenspapenhagen
Copy link
Copy Markdown
Collaborator

@jenspapenhagen jenspapenhagen commented May 20, 2026
edited
Loading

Linked Issue

Closes #

Description

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)
  • Performance improvement
  • Test coverage improvement

Changes Made

SPEC Compliance

  • This PR implements/fixes spec compliance
  • Spec section(s) affected:
  • Spec version:

Testing

  • All existing tests pass
  • Added new tests for changes
  • Tests cover edge cases and spec compliance

Pre-submission Checklist

  • My code follows the project's coding standards
  • I have run code formatting/linting tools
  • I have added tests that prove my fix/feature works
  • New and existing tests pass locally
  • I have updated documentation if needed
  • I have reviewed the TOON specification for relevant sections

Breaking Changes

  • No breaking changes
  • Breaking changes (describe migration path below)

Additional Context

@jenspapenhagen
security: fix 23 vulnerabilities from V12 audit
4a9ae3c 
Fixed high-severity issues:
- Encoder recursion without cycle guards (StackOverflowError DoS)
- Quadratic algorithm in ListItemEncoder
- Malformed options crash encoding (null delimiter, negative indent)

Fixed medium-severity issues:
- Options validation (indent bounds, null checks)
- Stream input bounds (max 10000 elements)
- Numeric string type preservation (+1, .5, -.5, 1.)
- BigDecimal precision loss
- Invalid escape sequences (now throw instead of lossy)
- Key folding aliasing and prefix collision
- Duplicate tabular headers
- Nested array length mismatch

Added depth limits:
- MAX_DEPTH=512 for normalization
- MAX_ENCODE_DEPTH=1024 for encoding
- MAX_DECODE_DEPTH=1024 for decoding
- MAX_INDENT=100 for options
- MAX_STREAM_ELEMENTS=10000

Security fixes applied to:
- EncodeOptions/DecodeOptions validation
- JsonNormalizer (cycle detection, depth limits)
- ValueEncoder/ObjectEncoder/ArrayEncoder/ListItemEncoder
- ValueDecoder/ObjectDecoder/TabularArrayDecoder
- StringEscaper/StringValidator
- Flatten (key folding collision detection)
@jenspapenhagen
cleanup
6a318e5 
cleanup

checkstyle warnings fixed

Adding docs back
@jenspapenhagen
adding test
ab499e3
@jenspapenhagen
Merge pull request #26 from jenspapenhagen/sec
929760a 
security: fix 23 vulnerabilities from V12 audit
@jenspapenhagen
Merge branch 'toon-format:main' into main
e596385
@jenspapenhagen
Merge branch 'toon-format:main' into main
70ef02d
@jenspapenhagen
Adding new conformance testfiles
7a88774
@jenspapenhagen
spec 3.2
7f9e0e8
@jenspapenhagen
adding test
db6d977
@jenspapenhagen
enhance test coverage
552c7ff
@jenspapenhagen jenspapenhagen requested a review from a team as a code owner May 20, 2026 17:33
@jenspapenhagen jenspapenhagen changed the title Spec 3.2 Spec 3.3.0 May 21, 2026
@felipestanzani felipestanzani merged commit ab2cf39 into toon-format:main May 21, 2026
1 check passed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 21, 2026

Code Coverage

Overall Project 98.33% -0.36% 🍏
Files changed 94.67% 🍏

File Coverage
DecodeHelper.java 100% 🍏
LineWriter.java 100% 🍏
JsonNormalizer.java 100% 🍏
StringEscaper.java 100% 🍏
Headers.java 100% 🍏
EncodeOptions.java 100% 🍏
DecodeOptions.java 100% 🍏
StringValidator.java 99.22% 🍏
ObjectDecoder.java 98.33% 🍏
PrimitiveEncoder.java 98.11% -1.26% 🍏
KeyDecoder.java 97.99% 🍏
TabularArrayDecoder.java 97.34% -2.47% 🍏
ArrayDecoder.java 97.07% 🍏
ListItemDecoder.java 96.54% 🍏
ValueDecoder.java 95.69% 🍏
ArrayEncoder.java 95.53% 🍏
PrimitiveDecoder.java 94.78% 🍏
ToonValidator.java 91.04% -8.96% 🍏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@felipestanzani felipestanzani Awaiting requested review from felipestanzani

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jenspapenhagen @felipestanzani