[
https://issues.apache.org/jira/browse/LANG-1826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18080224#comment-18080224
]
Piotr Karwasz commented on LANG-1826:
-------------------------------------
Hi [~chenyl2024],
Thank you for reporting the issue.
First, let me clear the air so other users don't panic when reading the
description: there is *absolutely no* security concern here. The Commons Lang
API is not meant to be exposed to attacker-controlled data. It is a low-level
library that exposes functionality similar to the JDK, and as a general rule it
is unsafe to pass possibly attacker-controlled input to its API (see the
[security model|https://commons.apache.org/security.html]).
To make this concrete: if {{StringUtils.repeat}} were exposed to
attacker-controlled input, you would not need to rely on any bug to cause a
denial of service. The method provides amplification by design: a
caller-supplied {{count}} of a few bytes can request gigabytes of allocation.
The only real shortcoming here is a matter of API hygiene: the exception thrown
({{NegativeArraySizeException}}) is not very descriptive in this case, since
the caller didn't provide any array. Throwing {{OutOfMemoryError}} (as JDK's
{{String.repeat}} does) or an {{IllegalArgumentException}} would communicate
the failure more clearly.
> Issue: Unchecked integer overflow in public Commons Lang size APIs can
> trigger denial of service
> ------------------------------------------------------------------------------------------------
>
> Key: LANG-1826
> URL: https://issues.apache.org/jira/browse/LANG-1826
> Project: Commons Lang
> Issue Type: Bug
> Components: lang.text.*
> Reporter: Cyl
> Priority: Major
> Labels: dos, security
>
> h1. Issue: Unchecked integer overflow in public Commons Lang size APIs can
> trigger denial of service
> h2. Basic Information
> * *Project*: LANG
> * *Type*: Issue
> * *Severity*: Medium
> * *Affected Versions*: <= 3.20.0
> * *Fixed Version*: N/A
> h2. Description
> This issue affects public methods in Apache Commons Lang that derive
> allocation lengths directly from caller-controlled integers. A large positive
> {{count}} or {{capacity}} can wrap to a negative size and trigger
> {{NegativeArraySizeException}}, allowing downstream applications that pass
> attacker-controlled values into these APIs to fail requests or jobs with a
> low-effort denial of service.
> The affected methods are:
> * {{StringUtils.repeat(String, int)}}
> * {{StringUtils.repeat(String, String, int)}}
> * {{StrBuilder.ensureCapacity(int)}}
> These paths use unchecked {{int}} arithmetic before allocating arrays or
> builders.
> h2. Impact
> This is a denial of service issue in a widely used library dependency. Any
> application that passes untrusted size or count values into these APIs can be
> forced into runtime failure. In practice this can break request handlers,
> batch jobs, template generation, export tasks, or message-processing flows
> that rely on Commons Lang string repetition or buffer preallocation with
> attacker-controlled inputs.
> h2. Affected products
> * *Ecosystem*: maven
> * *Package name*: org.apache.commons:commons-lang3
> * *Affected versions*: <= 3.20.0
> h2. Severity
> * *Severity*: Medium
> * *Vector string*: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
> h2. Weaknesses
> * *CWE*: CWE-190: Integer Overflow or Wraparound
> h2. Occurrences
> * {{StringUtils.repeat(String, int)}} multiplies {{inputLength * count}} with
> unchecked {{int}} arithmetic and then uses the result for {{char[]}} or
> {{StringBuilder}} allocation.
> * {{StringUtils.repeat(String, String, int)}} preserves the same flaw by
> concatenating {{repeat + separator}} and delegating to the vulnerable
> {{repeat(String, int)}} path.
> * {{StrBuilder.ensureCapacity(int)}} allocates {{new char[capacity * 2]}}
> with unchecked multiplication, allowing a wrapped negative size to reach
> allocation.
> h2. Reproduction summary
> Supplying {{1_073_741_824}} to these APIs causes {{* 2}} to wrap to
> {{-2147483648}}, which then reaches allocation and raises
> {{NegativeArraySizeException}}. This is reachable without source
> modification, reflection, or internal access.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
