🚀 Release v1.3.1 (Nov 24, 2019)
Issue #46 resulted in filing an errata to RFC 7049 (CBOR) after the same mistake was found in both 7049 and Wikipedia. RFC 7049 author (cabo) confirmed within an hour directly in #46 which was super nice of him.
I'll let fuzzing continue for 1-10 days, due in part to issue #46 and initial valid fuzzing corpus. Maybe it'll generate fewer corpus files this time to reach a good stopping point.
🛠 Most users of v1.3.0 won't notice any practical difference from these bugfixes. They involve data validation rules and an obscure difference in sorting rule for canonical encoding.
🔄 Changes include:
- 🛠 Fix: Relax decoding restriction on CBOR int to Go float (commit 71ea0c5)
- 🛠 Fix: Separate CTAP2 and RFC 7049 canonical encoding (commit 7164aa3)
- 🛠 Fix: Reject indefinite-length byte/text string if chunks are indefinite-length (commit a4adae8)
- 🛠 Fix: Reject CBOR primitive 2-byte simple value < 32 (commit aa44241)
🚀 This release passed 877k+ executions (19 hours, and still running) of coverage-guided fuzzing using fxamacker/cbor-fuzz.
workers: 2, corpus: 403 (48s ago), crashers: 0, restarts: 1/10000, execs: 877930249 (12405/sec), cover: 1501, uptime: 19h39m
🆕 New struct tags "keyasint" and "toarray" make it easy to use Go structs with CBOR maps and arrays. Using COSE, CWT, SenML, etc. is more natural with less programming effort.
🚀 Encoding and decoding speed is faster than prior releases due to safe optimizations. Encoding speed and structs got the biggest speedups.
🚀 Benchmark comparisons are hard in v1.3 because older releases lack "keyasint" and "toarray". Some of the biggest speedups are from no longer having to use Go maps with COSE, CWT, SenML, etc.
Specific changes include:
- 🔋 Feature: Encode/Decode CBOR map with integer keys to Go struct with "keyasint" struct tag (commit 3cbdc26)
- 🔋 Feature: Encode/Decode CBOR array to Go struct with "toarray" struct tag (commit 07c8226)
- 🛠 Fix: Skip embedded struct pointed to by nil pointer during encoding (commit 593ee34)
- Speed: Improve decoding speed (commit 726c423, 23d2052)
- Speed: Improve encoding speed (commit 8ea465d, d85552b, 90423eb, 05e6b7c)
- ♻️ Misc: Refactor (commit ca1f6f1, be23d57, 1e745c3)
- Misc: Add examples and benchmarks (commit 61d7682, 2964577, 6c17db7)
🚀 This release passed 2+ billion executions (72 hours) of coverage-guided fuzzing using fxamacker/cbor-fuzz v0.7.0:
workers: 2, corpus: 719 (72h27m ago), crashers: 0, restarts: 1/10000, execs: 2275843330 (8725/sec), cover: 1492, uptime: 72h27m
🔄 Changes include:
- 🔋 Feature: Add RawMessage, Marshaler, and Unmarshaler (commit 1a29187)
- Speed: Improve decoding into struct speed by +23% (commit 9ff43a1)
- 🛠 Fix: Return error on decoding unsupported CBOR neg int (commit 47055e7)
- Misc: Add benchmarks using COSE and WebAuthn data (commit 22732d7)
- ✅ Misc: Add more tests, including malicious CBOR data (credit: oasislabs/oasis-core)
- ⚡️ Misc: Update README.md
🚀 This release passed 42 hours of fuzzing with fxamacker/cbor-fuzz v0.7.0.
Prevent an inappropriate use of BinaryUnmarshaler.
Specifically, don't allow CBOR byte string (major type 2) as input to Go's Time.UnmarshalBinary.
👀 Time values should only be encoded/decoded using these CBOR data types: pos or neg integer, float, and text string. For more info, see RFC 7049 section 2.4.1.
👀 For details, see commit 34ffc3a.
🚀 This release passed 24+ hours of fuzzing with fxamacker/cbor-fuzz v0.6.0.
➕ Add support for encoding.BinaryMarshaler and encoding.BinaryUnmarshaler interfaces.
- Encoder encodes value implementing encoding.BinaryMarshaler as CBOR byte string.
- Decoder decodes CBOR byte string into a value implementing encoding.BinaryUnmarshaler.
cborv1.0.0 stable for Go 1.12+.
♻️ Refactored and improved test coverage to 97%:
- ✂ Removed unused type InvalidValueError.
- ♻️ Refactored and removed unreachable code (redundant error/bounds checking).
- ➕ Added tests for edge cases.
- ⬇️ Reduced compiled library size.