Skip to content

Security: fix 23 vulnerabilities from V12 audit#122

Merged
felipestanzani merged 4 commits into
toon-format:mainfrom
jenspapenhagen:main
May 18, 2026
Merged

Security: fix 23 vulnerabilities from V12 audit#122
felipestanzani merged 4 commits into
toon-format:mainfrom
jenspapenhagen:main

Conversation

@jenspapenhagen
Copy link
Copy Markdown
Collaborator

@jenspapenhagen jenspapenhagen commented May 16, 2026

Linked Issue

Closes #

Description

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)
  • Performance improvement
  • Test coverage improvement

Changes Made

SPEC Compliance

  • This PR implements/fixes spec compliance
  • Spec section(s) affected:
  • Spec version:

Testing

  • All existing tests pass
  • Added new tests for changes
  • Tests cover edge cases and spec compliance

Pre-submission Checklist

  • My code follows the project's coding standards
  • I have run code formatting/linting tools
  • I have added tests that prove my fix/feature works
  • New and existing tests pass locally
  • I have updated documentation if needed
  • I have reviewed the TOON specification for relevant sections

Breaking Changes

  • No breaking changes
  • Breaking changes (describe migration path below)

Additional Context

@jenspapenhagen
security: fix 23 vulnerabilities from V12 audit
4a9ae3c 
Fixed high-severity issues:
- Encoder recursion without cycle guards (StackOverflowError DoS)
- Quadratic algorithm in ListItemEncoder
- Malformed options crash encoding (null delimiter, negative indent)

Fixed medium-severity issues:
- Options validation (indent bounds, null checks)
- Stream input bounds (max 10000 elements)
- Numeric string type preservation (+1, .5, -.5, 1.)
- BigDecimal precision loss
- Invalid escape sequences (now throw instead of lossy)
- Key folding aliasing and prefix collision
- Duplicate tabular headers
- Nested array length mismatch

Added depth limits:
- MAX_DEPTH=512 for normalization
- MAX_ENCODE_DEPTH=1024 for encoding
- MAX_DECODE_DEPTH=1024 for decoding
- MAX_INDENT=100 for options
- MAX_STREAM_ELEMENTS=10000

Security fixes applied to:
- EncodeOptions/DecodeOptions validation
- JsonNormalizer (cycle detection, depth limits)
- ValueEncoder/ObjectEncoder/ArrayEncoder/ListItemEncoder
- ValueDecoder/ObjectDecoder/TabularArrayDecoder
- StringEscaper/StringValidator
- Flatten (key folding collision detection)
@jenspapenhagen
cleanup
6a318e5 
cleanup

checkstyle warnings fixed

Adding docs back
@jenspapenhagen
adding test
ab499e3
@jenspapenhagen
Merge pull request #26 from jenspapenhagen/sec
929760a 
security: fix 23 vulnerabilities from V12 audit
@jenspapenhagen jenspapenhagen requested a review from a team as a code owner May 16, 2026 12:24
@felipestanzani felipestanzani merged commit 59cdd8b into toon-format:main May 18, 2026
1 check passed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 18, 2026

Code Coverage

Overall Project 98.9% 🍏
Files changed 100% 🍏

File Coverage
JsonNormalizer.java 100% 🍏
StringEscaper.java 100% 🍏
EncodeOptions.java 100% 🍏
DecodeOptions.java 100% 🍏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jenspapenhagen @felipestanzani