Re: [PR] StrBuilder.deleteImpl(int, int, int) doesn't clear its unused bytes. [commons-lang]

Sun, 17 May 2026 14:38:39 -0700 


ppkarwasz commented on code in PR #1654:
URL: https://github.com/apache/commons-lang/pull/1654#discussion_r3255527359


##########
src/test/java/org/apache/commons/lang3/text/StrBuilderClearTest.java:
##########
@@ -86,6 +91,40 @@ public int read(final char[] cbuf, final int off, final int 
len) {
         }
     }
 
+    /** Search for a string encoded as UTF-16BE (2 bytes per char) in a byte 
array. */
+    private static boolean containsUtf16Be(final byte[] haystack, final String 
needle) throws IOException {
+        final byte[] needleBytes = needle.getBytes(StandardCharsets.UTF_16BE);
+        outer: for (int i = 0; i <= haystack.length - needleBytes.length; i++) 
{
+            for (int j = 0; j < needleBytes.length; j++) {
+                if (haystack[i + j] != needleBytes[j]) {
+                    continue outer;
+                }
+            }
+            return true;
+        }
+        return false;
+    }
+
+    @Test
+    public void testDeserializedStrBuilderHasNoStaleBufferContent() throws 
Exception {
+        final StrBuilder sb = new StrBuilder("secret_password_xyzzy");
+        sb.clear();
+        sb.append("safe");
+        final byte[] serialized = SerializationUtils.serialize(sb);
+        final StrBuilder sb2;
+        // Deserialize and inspect the buffer
+        try (ObjectInputStream ois = new ObjectInputStream(new 
ByteArrayInputStream(serialized))) {
+            sb2 = (StrBuilder) ois.readObject();
+        }
+        final Field bufField = StrBuilder.class.getDeclaredField("buffer");
+        bufField.setAccessible(true);
+        final Field sizeField = StrBuilder.class.getDeclaredField("size");
+        sizeField.setAccessible(true);
+        final char[] buf2 = (char[]) bufField.get(sb2);
+        final String bufContent = new String(buf2);
+        assertFalse(bufContent.contains("secret_password"), "Deserialized 
StrBuilder buffer must not contain stale chars: " + bufContent);

Review Comment:
   `buffer` and `size` are `protected`, so there is no need for reflection.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to