Prevent stack overflow crashes with recursion limit (#21)

* Save all fixes

* fix: Prevent stack overflow crashes with recursion limit

* fix: address review feedback (cleanup + max+1 tests)

* test: Reduce recursion limit in test to avoid stack overflow on CI

* Reduce recursion test depth to avoid CI stack limits.

* chore: remove test output artifact

* Remove BugHuntingTests.swift

* Add recursionLimitTriggersOnDeepEncoding test

* Add EncodingLimits type and reframe recursion limits in terms of that

Reorder declarations

---------

Co-authored-by: Mattt Zmuda <mattt@me.com>

Author: rickhohler

Sources/ToonFormat/Encoder.swift

@@ -5,13 +5,57 @@ import Foundation
 /// This encoder conforms to the TOON (Token-Oriented Object Notation) specification version 3.0.
 /// For more information, see https://github.com/toon-format/spec
 public final class TOONEncoder {
-
     /// The number of spaces per indentation level.
     public var indent: Int = 2
 
+    /// The delimiter character used to separate array values and tabular row cells.
+    ///
+    /// The delimiter determines how multiple values are separated in inline arrays
+    /// and tabular data rows.
+    ///
+    /// Example with `.comma`:
+    /// ```toon
+    /// tags[3]: reading,gaming,coding
+    /// ```
+    ///
+    /// Example with `.tab`:
+    /// ```toon
+    /// items[2	]{sku	name}:
+    ///   A1	Widget
+    ///   B2	Gadget
+    /// ```
+    ///
+    /// Example with `.pipe`:
+    /// ```toon
+    /// items[2|]{sku|name}:
+    ///   A1|Widget
+    ///   B2|Gadget
+    /// ```
+    public enum Delimiter: String, CaseIterable, Hashable, Sendable {
+        /// Comma separator (`,`).
+        case comma = ","
+
+        /// Tab separator (`\t`).
+        case tab = "\t"
+
+        /// Pipe separator (`|`).
+        case pipe = "|"
+    }
+
     /// The delimiter to use for array values and tabular rows.
     public var delimiter: Delimiter = .comma
 
+    /// Key folding mode.
+    public enum KeyFolding: Hashable, Sendable {
+        /// No key folding.
+        case disabled
+
+        /// Safe key folding.
+        ///
+        /// Only folds when all segments are valid identifiers.
+        case safe
+    }
+
     /// Key folding mode for collapsing single-key object chains into dotted paths.
     ///
     /// When enabled, single-key nested objects like `{ a: { b: { c: 1 } } }`
@@ -39,58 +83,41 @@ public final class TOONEncoder {
     /// - Output: `a.b.c: 1`
     public var flattenDepth: Int = .max
 
-    /// Key folding mode.
-    public enum KeyFolding: Hashable, Sendable {
-        /// No key folding.
-        case disabled
+    /// Limits for encoding to prevent resource exhaustion.
+    public struct EncodingLimits: Hashable, Sendable {
+        /// Maximum nesting depth.
+        public var maxDepth: Int
 
-        /// Safe key folding.
+        /// Default limits suitable for most use cases.
         ///
-        /// Only folds when all segments are valid identifiers.
-        case safe
-    }
-
-    /// The delimiter character used to separate array values and tabular row cells.
-    ///
-    /// The delimiter determines how multiple values are separated in inline arrays
-    /// and tabular data rows.
-    ///
-    /// Example with `.comma`:
-    /// ```toon
-    /// tags[3]: reading,gaming,coding
-    /// ```
-    ///
-    /// Example with `.tab`:
-    /// ```toon
-    /// items[2	]{sku	name}:
-    ///   A1	Widget
-    ///   B2	Gadget
-    /// ```
-    ///
-    /// Example with `.pipe`:
-    /// ```toon
-    /// items[2|]{sku|name}:
-    ///   A1|Widget
-    ///   B2|Gadget
-    /// ```
-    public enum Delimiter: String, CaseIterable, Hashable, Sendable {
-        /// Comma separator (`,`).
-        case comma = ","
+        /// - `maxDepth`: 32 (prevents stack overflow from deep nesting)
+        public static let `default` = EncodingLimits(maxDepth: 32)
 
-        /// Tab separator (`\t`).
-        case tab = "\t"
+        /// Encoding limits that impose no restrictions.
+        ///
+        /// - Warning: This configuration is unsafe for untrusted input
+        ///   and should only be used with trusted data.
+        public static let unlimited = EncodingLimits(maxDepth: .max)
 
-        /// Pipe separator (`|`).
-        case pipe = "|"
+        public init(maxDepth: Int) {
+            self.maxDepth = maxDepth
+        }
     }
 
+    /// Limits for encoding to prevent resource exhaustion.
+    ///
+    /// Use this to protect against accidental or malicious deep nesting
+    /// when encoding untrusted data.
+    public var limits: EncodingLimits = .default
+
     /// Creates a new TOON encoder with default configuration.
     ///
     /// Default settings:
     /// - `indent`: 2 spaces
     /// - `delimiter`: `.comma`
     /// - `keyFolding`: `.disabled`
     /// - `flattenDepth`: `Int.max`
+    /// - `limits`: `.default`
     public init() {}
 
     /// Encodes the given value into TOON format.
@@ -114,7 +141,9 @@ public final class TOONEncoder {
         } else if mirror.subjectType == Data.self, let data = value as? Data {
             v = .data(data)
         } else {
-            let encoder = Encoder(userInfo: [:])
+            var userInfo = [CodingUserInfoKey: Any]()
+            userInfo[.toonEncodingMaxDepth] = limits.maxDepth
+            let encoder = Encoder(userInfo: userInfo)
             try value.encode(to: encoder)
             v = encoder.encodedValue
         }
@@ -720,6 +749,10 @@ public final class TOONEncoder {
     }
 }
 
+fileprivate extension CodingUserInfoKey {
+    static let toonEncodingMaxDepth = CodingUserInfoKey(rawValue: "toonEncodingMaxDepth")!
+}
+
 // MARK: - Internal Encoder
 
 extension TOONEncoder {
@@ -869,6 +902,15 @@ extension TOONEncoder {
         }
 
         func encode<T: Encodable>(_ value: T, forKey key: Key) throws {
+            if let limit = encoder.userInfo[.toonEncodingMaxDepth] as? Int, encoder.codingPath.count > limit {
+                throw EncodingError.invalidValue(
+                    value,
+                    EncodingError.Context(
+                        codingPath: codingPath + [key],
+                        debugDescription: "Recursion limit of \(limit) exceeded"
+                    )
+                )
+            }
             trackKey(key.stringValue)
 
             // Handle special types by checking the mirror of the value
@@ -1146,6 +1188,15 @@ extension TOONEncoder {
         }
 
         func encode<T: Encodable>(_ value: T) throws {
+            if let limit = encoder.userInfo[.toonEncodingMaxDepth] as? Int, encoder.codingPath.count > limit {
+                throw EncodingError.invalidValue(
+                    value,
+                    EncodingError.Context(
+                        codingPath: codingPath + [IndexedCodingKey(intValue: count)],
+                        debugDescription: "Recursion limit of \(limit) exceeded"
+                    )
+                )
+            }
             // Handle special types
             let mirror = Mirror(reflecting: value)
             if mirror.subjectType == Date.self, let date = value as? Date {
@@ -1288,6 +1339,15 @@ extension TOONEncoder {
         }
 
         func encode<T: Encodable>(_ value: T) throws {
+            if let limit = encoder.userInfo[.toonEncodingMaxDepth] as? Int, encoder.codingPath.count > limit {
+                throw EncodingError.invalidValue(
+                    value,
+                    EncodingError.Context(
+                        codingPath: codingPath,
+                        debugDescription: "Recursion limit of \(limit) exceeded"
+                    )
+                )
+            }
             // Handle special types
             let mirror = Mirror(reflecting: value)
             if mirror.subjectType == Date.self, let date = value as? Date {

Tests/ToonFormatTests/DecoderTests.swift

@@ -1368,7 +1368,7 @@ struct DecoderTests {
             let value: Int8
         }
 
-        let toon = "value: 200"  // Exceeds Int8.max (127)
+        let toon = "value: 128"  // Int8.max + 1
         let data = toon.data(using: .utf8)!
 
         #expect(throws: TOONDecodingError.self) {
@@ -1394,7 +1394,7 @@ struct DecoderTests {
             let value: UInt8
         }
 
-        let toon = "value: 300"  // Exceeds UInt8.max (255)
+        let toon = "value: 256"  // UInt8.max + 1
         let data = toon.data(using: .utf8)!
 
         #expect(throws: TOONDecodingError.self) {

Tests/ToonFormatTests/EncoderTests.swift

@@ -1572,6 +1572,37 @@ struct EncoderTests {
         #expect(result == expected)
     }
 
+    @Test func recursionLimitTriggersOnDeepEncoding() async throws {
+        indirect enum NestableValue: Codable, Equatable {
+            case int(Int)
+            case array([NestableValue])
+        }
+
+        struct Container: Codable, Equatable {
+            let value: NestableValue
+        }
+
+        func makeDeepNest(depth: Int) -> NestableValue {
+            var value: NestableValue = .int(1)
+            for _ in 0 ..< depth {
+                value = .array([value])
+            }
+            return value
+        }
+
+        let encoder = TOONEncoder()
+        encoder.limits.maxDepth = 10
+
+        do {
+            _ = try encoder.encode(Container(value: makeDeepNest(depth: 20)))
+            #expect(Bool(false))
+        } catch EncodingError.invalidValue(_, let context) {
+            #expect(context.debugDescription.contains("Recursion limit"))
+        } catch {
+            #expect(Bool(false))
+        }
+    }
+
     // MARK: - Collision Avoidance Tests (TOON 3.0)
 
     @Test func keyFoldingCollisionAvoidance() async throws {