[jira] [Commented] (LANG-1801) RandomStringUtils.random() does not strictly validate start/end when chars != null, causing potential IndexOutOfBoundsException

Thu, 18 Dec 2025 03:53:07 -0800 


    [ 
https://issues.apache.org/jira/browse/LANG-1801?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18046263#comment-18046263
 ] 

Zhongxin Yan commented on LANG-1801:
------------------------------------

[~harshitgoel] Thanks for testing LANG-1801.  I actually already  submitted a 
[PR|https://github.com/apache/commons-lang/pull/1521]  that addresses this 
exact issue 

> RandomStringUtils.random() does not strictly validate start/end when chars != 
> null, causing potential IndexOutOfBoundsException
> -------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: LANG-1801
>                 URL: https://issues.apache.org/jira/browse/LANG-1801
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.20.0
>         Environment: {code:java}
> // code placeholder
> {code}
>            Reporter: Zhongxin Yan
>            Priority: Major
>
> {code:java}
> public static String random(int count, int start, int end, final boolean 
> letters, final boolean numbers,
> final char[] chars, final Random random) {{code}
> When a custom character array ({{{}chars != null{}}}) is supplied to 
> {{{}RandomStringUtils.random(){}}}, the method does *not* strictly check that 
> the {{start}} and {{end}} parameters fall within the valid bounds of the 
> {{chars}} array.
> As a result, if {{start}} or {{end}} exceeds {{{}chars.length{}}}, the method 
> may generate a random index outside the array range, leading to an unexpected 
> {{{}ArrayIndexOutOfBoundsException{}}}. [~ggregory] 
> This fails the method contract and causes unpredictable runtime errors. 
> [Github PR|https://github.com/apache/commons-lang/pull/1521]
> {code:java}
>      @Test
>     void testStartEndOutOfRangeWithChars() {
>         char[] chars = {'a', 'b', 'c'};
>         assertThrows(ArrayIndexOutOfBoundsException.class, () -> {
>             RandomStringUtils.random(
>                     5,
>                     5,         // invalid: start > chars.length
>                     10,             // invalid: end > chars.length
>                     false,
>                     false,
>                     chars,
>                     new Random()
>             );
>         });
>     }{code}
> *Actual:*
> Throws {{ArrayIndexOutOfBoundsException}}
> *Expected:*
> Throw {{IllegalArgumentException}} indicating invalid 
> {{{}start{}}}/{{{}end{}}} range when {{chars != null}}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to