(commons-lang) branch master updated: [LANG-1801] RandomStringUtils.random() does not strictly validate (#1682)

Wed, 27 May 2026 13:01:42 -0700 

This is an automated email from the ASF dual-hosted git repository.

garydgregory pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-lang.git


The following commit(s) were added to refs/heads/master by this push:
     new 9bcc0d0bf [LANG-1801] RandomStringUtils.random() does not strictly 
validate (#1682)
9bcc0d0bf is described below

commit 9bcc0d0bf84f6278a000eaf39af0e9780be9046c
Author: Gary Gregory <[email protected]>
AuthorDate: Wed May 27 16:01:23 2026 -0400

    [LANG-1801] RandomStringUtils.random() does not strictly validate (#1682)
    
    start/end when chars != null, causing potential IndexOutOfBoundsException
---
 src/main/java/org/apache/commons/lang3/RandomStringUtils.java     | 4 ++++
 src/test/java/org/apache/commons/lang3/RandomStringUtilsTest.java | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/apache/commons/lang3/RandomStringUtils.java 
b/src/main/java/org/apache/commons/lang3/RandomStringUtils.java
index 4795fb0d6..40a5dc744 100644
--- a/src/main/java/org/apache/commons/lang3/RandomStringUtils.java
+++ b/src/main/java/org/apache/commons/lang3/RandomStringUtils.java
@@ -276,6 +276,10 @@ public static String random(int count, int start, int end, 
final boolean letters
             throw new IllegalArgumentException(String.format("Parameter end 
(%,d) must be greater than start (%,d)", end, start));
         } else if (start < 0 || end < 0) {
             throw new IllegalArgumentException("Character positions MUST be >= 
0");
+        } else if (chars != null && start >= chars.length) {
+            throw new IllegalArgumentException("start >= chars.length");
+        } else if (chars != null && end > chars.length) {
+            throw new IllegalArgumentException("end > chars.length");
         }
         if (end > Character.MAX_CODE_POINT) {
             // Technically, it should be `Character.MAX_CODE_POINT+1` as `end` 
is excluded
diff --git a/src/test/java/org/apache/commons/lang3/RandomStringUtilsTest.java 
b/src/test/java/org/apache/commons/lang3/RandomStringUtilsTest.java
index 7ccd9e48b..68f646290 100644
--- a/src/test/java/org/apache/commons/lang3/RandomStringUtilsTest.java
+++ b/src/test/java/org/apache/commons/lang3/RandomStringUtilsTest.java
@@ -134,7 +134,8 @@ void testExceptionsRandom() {
         assertIllegalArgumentException(() -> RandomStringUtils.random(8, 32, 
48, false, true));
         assertIllegalArgumentException(() -> RandomStringUtils.random(8, 32, 
65, true, false));
         assertIllegalArgumentException(() -> RandomStringUtils.random(1, 
Integer.MIN_VALUE, -10, false, false, null));
-    }
+        assertIllegalArgumentException(() -> RandomStringUtils.random(2, 4, 5, 
false, false, new char[] { 'a', 'b', 'c', 'd' }, new Random()));
+        assertIllegalArgumentException(() -> RandomStringUtils.random(2, 1, 5, 
false, false, new char[] { 'a', 'b', 'c', 'd' }, new Random()));    }
 
     @ParameterizedTest
     @MethodSource("randomProvider")

Reply via email to