Zhongxin Yan created LANG-1801:
----------------------------------
Summary: RandomStringUtils.random() does not strictly validate
start/end when chars != null, causing potential IndexOutOfBoundsException
Key: LANG-1801
URL: https://issues.apache.org/jira/browse/LANG-1801
Project: Commons Lang
Issue Type: Bug
Components: lang.*
Affects Versions: 3.20.0
Environment: {code:java}
// code placeholder
{code}
Reporter: Zhongxin Yan
{code:java}
public static String random(int count, int start, int end, final boolean
letters, final boolean numbers,
final char[] chars, final Random random) {{code}
When a custom character array ({{{}chars != null{}}}) is supplied to
{{{}RandomStringUtils.random(){}}}, the method does *not* strictly check that
the {{start}} and {{end}} parameters fall within the valid bounds of the
{{chars}} array.
As a result, if {{start}} or {{end}} exceeds {{{}chars.length{}}}, the method
may generate a random index outside the array range, leading to an unexpected
{{{}ArrayIndexOutOfBoundsException{}}}.
This fails the method contract and causes unpredictable runtime errors.
[Github PR|https://github.com/apache/commons-lang/pull/1521]
{code:java}
@Test
void testStartEndOutOfRangeWithChars() {
char[] chars = {'a', 'b', 'c'};
assertThrows(ArrayIndexOutOfBoundsException.class, () -> {
RandomStringUtils.random(
5,
5, // invalid: start > chars.length
10, // invalid: end > chars.length
false,
false,
chars,
new Random()
);
});
}{code}
*Actual:*
Throws {{ArrayIndexOutOfBoundsException}}
*Expected:*
Throw {{IllegalArgumentException}} indicating invalid {{{}start{}}}/{{{}end{}}}
range when {{chars != null}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
