[jira] [Resolved] (LANG-1801) RandomStringUtils.random() does not strictly validate start/end when chars != null, causing potential IndexOutOfBoundsException

Wed, 27 May 2026 13:06:06 -0700 


     [ 
https://issues.apache.org/jira/browse/LANG-1801?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gary D. Gregory resolved LANG-1801.
-----------------------------------
    Fix Version/s: 3.21.0
         Assignee: Gary D. Gregory
       Resolution: Fixed

[~zhongxin] 

This is now fixed in git master and snapshot builds in 
https://repository.apache.org/content/repositories/snapshots/org/apache/commons/commons-lang3/3.21.0-SNAPSHOT/

Merged PR: [https://github.com/apache/commons-lang/pull/1682]

Please verify and close this ticket if appropriate.

TY!

 

 

> RandomStringUtils.random() does not strictly validate start/end when chars != 
> null, causing potential IndexOutOfBoundsException
> -------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: LANG-1801
>                 URL: https://issues.apache.org/jira/browse/LANG-1801
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.20.0
>            Reporter: Zhongxin Yan
>            Assignee: Gary D. Gregory
>            Priority: Minor
>             Fix For: 3.21.0
>
>
> {code:java}
> public static String random(int count, int start, int end, final boolean 
> letters, final boolean numbers,
> final char[] chars, final Random random) {{code}
> When a custom character array ({{{}chars != null{}}}) is supplied to 
> {{{}RandomStringUtils.random(){}}}, the method does *not* strictly check that 
> the {{start}} and {{end}} parameters fall within the valid bounds of the 
> {{chars}} array.
> As a result, if {{start}} or {{end}} exceeds {{{}chars.length{}}}, the method 
> may generate a random index outside the array range, leading to an unexpected 
> {{{}ArrayIndexOutOfBoundsException{}}}. [~ggregory] 
> This fails the method contract and causes unpredictable runtime errors. 
> [Github PR|https://github.com/apache/commons-lang/pull/1521]
> {code:java}
>      @Test
>     void testStartEndOutOfRangeWithChars() {
>         char[] chars = {'a', 'b', 'c'};
>         assertThrows(ArrayIndexOutOfBoundsException.class, () -> {
>             RandomStringUtils.random(
>                     5,
>                     5,         // invalid: start > chars.length
>                     10,             // invalid: end > chars.length
>                     false,
>                     false,
>                     chars,
>                     new Random()
>             );
>         });
>     }{code}
> *Actual:*
> Throws {{ArrayIndexOutOfBoundsException}}
> *Expected:*
> Throw {{IllegalArgumentException}} indicating invalid 
> {{{}start{}}}/{{{}end{}}} range when {{chars != null}}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to