From 105f2b5cb02357319eef88ab0d7005f5ce7bee8a Mon Sep 17 00:00:00 2001 From: yanzhongxin <747328867@qq.com> Date: Tue, 9 Dec 2025 23:47:36 +0800 Subject: [PATCH 1/3] RandomStringUtils.random() does not strictly validate start/end when chars != null, causing potential IndexOutOfBoundsException --- .../org/apache/commons/lang3/RandomStringUtils.java | 13 +++++++++++++ .../apache/commons/lang3/RandomStringUtilsTest.java | 1 + 2 files changed, 14 insertions(+) diff --git a/src/main/java/org/apache/commons/lang3/RandomStringUtils.java b/src/main/java/org/apache/commons/lang3/RandomStringUtils.java index 558fc524242..27dfd3fec86 100644 --- a/src/main/java/org/apache/commons/lang3/RandomStringUtils.java +++ b/src/main/java/org/apache/commons/lang3/RandomStringUtils.java @@ -278,6 +278,19 @@ public static String random(int count, int start, int end, final boolean letters "Parameter end (" + end + ") must be greater than start (" + start + ")"); } else if (start < 0 || end < 0) { throw new IllegalArgumentException("Character positions MUST be >= 0"); + }else if (chars != null && (start >= chars.length || end > chars.length)){ + StringBuilder errorMsg = new StringBuilder(); + int charsLength = chars.length; + if (start >= charsLength) { + errorMsg.append("Parameter start (").append(start).append(") must be less than chars array length ").append(charsLength); + } + if (end > charsLength) { + if (errorMsg.length() > 0) { + errorMsg.append("; "); + } + errorMsg.append("Parameter end (").append(end).append(") must be less than or equal to chars array length ").append(charsLength); + } + throw new IllegalArgumentException(errorMsg.toString()); } if (end > Character.MAX_CODE_POINT) { diff --git a/src/test/java/org/apache/commons/lang3/RandomStringUtilsTest.java b/src/test/java/org/apache/commons/lang3/RandomStringUtilsTest.java index 3602fbc6461..a90b6e14136 100644 --- a/src/test/java/org/apache/commons/lang3/RandomStringUtilsTest.java +++ b/src/test/java/org/apache/commons/lang3/RandomStringUtilsTest.java @@ -104,6 +104,7 @@ void testExceptionsRandom() { assertIllegalArgumentException(() -> RandomStringUtils.random(8, 32, 48, false, true)); assertIllegalArgumentException(() -> RandomStringUtils.random(8, 32, 65, true, false)); assertIllegalArgumentException(() -> RandomStringUtils.random(1, Integer.MIN_VALUE, -10, false, false, null)); + assertIllegalArgumentException(() -> RandomStringUtils.random(2, 5, 6, false, false, new char[] { 'a', 'b', 'c', 'd' }, new Random())); } @ParameterizedTest From ca327ab1320e4ad0f5b605865b0b2130217ffe58 Mon Sep 17 00:00:00 2001 From: yanzhongxin <747328867@qq.com> Date: Sun, 21 Dec 2025 15:35:49 +0800 Subject: [PATCH 2/3] Run mvn and adjust the code style --- .../java/org/apache/commons/lang3/RandomStringUtils.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/apache/commons/lang3/RandomStringUtils.java b/src/main/java/org/apache/commons/lang3/RandomStringUtils.java index 27dfd3fec86..1ab5c76ce35 100644 --- a/src/main/java/org/apache/commons/lang3/RandomStringUtils.java +++ b/src/main/java/org/apache/commons/lang3/RandomStringUtils.java @@ -278,9 +278,9 @@ public static String random(int count, int start, int end, final boolean letters "Parameter end (" + end + ") must be greater than start (" + start + ")"); } else if (start < 0 || end < 0) { throw new IllegalArgumentException("Character positions MUST be >= 0"); - }else if (chars != null && (start >= chars.length || end > chars.length)){ - StringBuilder errorMsg = new StringBuilder(); - int charsLength = chars.length; + } else if (chars != null && (start >= chars.length || end > chars.length)) { + final StringBuilder errorMsg = new StringBuilder(); + final int charsLength = chars.length; if (start >= charsLength) { errorMsg.append("Parameter start (").append(start).append(") must be less than chars array length ").append(charsLength); } From 4b55a30181bc500e3a005982f7e126b852f7c9dd Mon Sep 17 00:00:00 2001 From: yanzhongxin <747328867@qq.com> Date: Mon, 22 Dec 2025 22:01:55 +0800 Subject: [PATCH 3/3] [LANG-1801] Add additional unit test --- .../java/org/apache/commons/lang3/RandomStringUtilsTest.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/test/java/org/apache/commons/lang3/RandomStringUtilsTest.java b/src/test/java/org/apache/commons/lang3/RandomStringUtilsTest.java index a90b6e14136..4da52236181 100644 --- a/src/test/java/org/apache/commons/lang3/RandomStringUtilsTest.java +++ b/src/test/java/org/apache/commons/lang3/RandomStringUtilsTest.java @@ -104,7 +104,8 @@ void testExceptionsRandom() { assertIllegalArgumentException(() -> RandomStringUtils.random(8, 32, 48, false, true)); assertIllegalArgumentException(() -> RandomStringUtils.random(8, 32, 65, true, false)); assertIllegalArgumentException(() -> RandomStringUtils.random(1, Integer.MIN_VALUE, -10, false, false, null)); - assertIllegalArgumentException(() -> RandomStringUtils.random(2, 5, 6, false, false, new char[] { 'a', 'b', 'c', 'd' }, new Random())); + assertIllegalArgumentException(() -> RandomStringUtils.random(2, 4, 5, false, false, new char[] { 'a', 'b', 'c', 'd' }, new Random())); + assertIllegalArgumentException(() -> RandomStringUtils.random(2, 1, 5, false, false, new char[] { 'a', 'b', 'c', 'd' }, new Random())); } @ParameterizedTest