Bugfix/class utils to canonical name length check (#1495)

garydgregory · web-flow · commit 5713c6c42e43 · 2025-11-19T08:23:03.000-05:00
* Add testLang1641()

* Rename some test methods

* ClassUtils now throws IllegalArgumentException if a class name is &gt;
65535

This affects:

- getClass(ClassLoader, String, boolean),
- ClassUtils.getClass(ClassLoader, String),
- ClassUtils.getClass(String, boolean),
- ClassUtils.getClass(String)

* ClassUtils now throws IllegalArgumentException if a class name is &gt;
65535

This affects:

- getClass(ClassLoader, String, boolean),
- ClassUtils.getClass(ClassLoader, String),
- ClassUtils.getClass(String, boolean),
- ClassUtils.getClass(String)

* ClassUtils now throws IllegalArgumentException if a class name is &gt;
65535

This affects:

- getClass(ClassLoader, String, boolean),
- ClassUtils.getClass(ClassLoader, String),
- ClassUtils.getClass(String, boolean),
- ClassUtils.getClass(String)
diff --git a/src/main/java/org/apache/commons/lang3/ClassUtils.java b/src/main/java/org/apache/commons/lang3/ClassUtils.java
@@ -49,9 +49,22 @@
 public class ClassUtils {
 
     /**
-     * The JVM {@code CONSTANT_Class_info} structure defines an array type descriptor is valid only if it represents 255 or fewer dimensions.
+     * The JLS-specified maximum class name length {@value}.
      *
+     * @see Class#forName(String, boolean, ClassLoader)
      * @see <a href="https://docs.oracle.com/javase/specs/jvms/se25/html/jvms-4.html#jvms-4.4.1">JVM: Array dimension limits in JVM Specification CONSTANT_Class_info</a>
+     * @see <a href="https://docs.oracle.com/javase/specs/jls/se25/html/jls-6.html#jls-6.7">JLS: Fully Qualified Names and Canonical Names</a>
+     * @see <a href="https://docs.oracle.com/javase/specs/jls/se25/html/jls-13.html#jls-13.1">JLS: The Form of a Binary</a>
+     */
+    private static final int MAX_CLASS_NAME_LENGTH = 65535;
+
+    /**
+     * The JVM-specified {@code CONSTANT_Class_info} structure defines an array type descriptor is valid only if it represents {@value} or fewer dimensions.
+     *
+     * @see Class#forName(String, boolean, ClassLoader)
+     * @see <a href="https://docs.oracle.com/javase/specs/jvms/se25/html/jvms-4.html#jvms-4.4.1">JVM: Array dimension limits in JVM Specification CONSTANT_Class_info</a>
+     * @see <a href="https://docs.oracle.com/javase/specs/jls/se25/html/jls-6.html#jls-6.7">JLS: Fully Qualified Names and Canonical Names</a>
+     * @see <a href="https://docs.oracle.com/javase/specs/jls/se25/html/jls-13.html#jls-13.1">JLS: The Form of a Binary</a>
      */
     private static final int MAX_JVM_ARRAY_DIMENSION = 255;
 
@@ -533,6 +546,7 @@ private static String getCanonicalName(final String name) {
      * @throws NullPointerException if the className is null.
      * @throws ClassNotFoundException if the class is not found.
      * @throws IllegalArgumentException Thrown if the class name represents an array with more dimensions than the JVM supports, 255.
+     * @throws IllegalArgumentException Thrown if the class name length is greater than 65,535.
      * @see Class#forName(String, boolean, ClassLoader)
      * @see <a href="https://docs.oracle.com/javase/specs/jvms/se25/html/jvms-4.html#jvms-4.4.1">JVM: Array dimension limits in JVM Specification CONSTANT_Class_info</a>
      * @see <a href="https://docs.oracle.com/javase/specs/jls/se25/html/jls-6.html#jls-6.7">JLS: Fully Qualified Names and Canonical Names</a>
@@ -554,6 +568,7 @@ public static Class<?> getClass(final ClassLoader classLoader, final String clas
      * @throws NullPointerException if the className is null.
      * @throws ClassNotFoundException if the class is not found.
      * @throws IllegalArgumentException Thrown if the class name represents an array with more dimensions than the JVM supports, 255.
+     * @throws IllegalArgumentException Thrown if the class name length is greater than 65,535.
      * @see Class#forName(String, boolean, ClassLoader)
      * @see <a href="https://docs.oracle.com/javase/specs/jvms/se25/html/jvms-4.html#jvms-4.4.1">JVM: Array dimension limits in JVM Specification CONSTANT_Class_info</a>
      * @see <a href="https://docs.oracle.com/javase/specs/jls/se25/html/jls-6.html#jls-6.7">JLS: Fully Qualified Names and Canonical Names</a>
@@ -566,7 +581,7 @@ public static Class<?> getClass(final ClassLoader classLoader, final String clas
         do {
             try {
                 final Class<?> clazz = getPrimitiveClass(next);
-                return clazz != null ? clazz : Class.forName(toCanonicalName(next), initialize, classLoader);
+                return clazz != null ? clazz : Class.forName(toCleanName(next), initialize, classLoader);
             } catch (final ClassNotFoundException ex) {
                 lastDotIndex = next.lastIndexOf(PACKAGE_SEPARATOR_CHAR);
                 if (lastDotIndex != -1) {
@@ -587,6 +602,7 @@ public static Class<?> getClass(final ClassLoader classLoader, final String clas
      * @throws NullPointerException if the className is null
      * @throws ClassNotFoundException if the class is not found
      * @throws IllegalArgumentException Thrown if the class name represents an array with more dimensions than the JVM supports, 255.
+     * @throws IllegalArgumentException Thrown if the class name length is greater than 65,535.
      * @see Class#forName(String, boolean, ClassLoader)
      * @see <a href="https://docs.oracle.com/javase/specs/jvms/se25/html/jvms-4.html#jvms-4.4.1">JVM: Array dimension limits in JVM Specification CONSTANT_Class_info</a>
      * @see <a href="https://docs.oracle.com/javase/specs/jls/se25/html/jls-6.html#jls-6.7">JLS: Fully Qualified Names and Canonical Names</a>
@@ -607,6 +623,7 @@ public static Class<?> getClass(final String className) throws ClassNotFoundExce
      * @throws NullPointerException if the className is null.
      * @throws ClassNotFoundException if the class is not found.
      * @throws IllegalArgumentException Thrown if the class name represents an array with more dimensions than the JVM supports, 255.
+     * @throws IllegalArgumentException Thrown if the class name length is greater than 65,535.
      * @see Class#forName(String, boolean, ClassLoader)
      * @see <a href="https://docs.oracle.com/javase/specs/jvms/se25/html/jvms-4.html#jvms-4.4.1">JVM: Array dimension limits in JVM Specification CONSTANT_Class_info</a>
      * @see <a href="https://docs.oracle.com/javase/specs/jls/se25/html/jls-6.html#jls-6.7">JLS: Fully Qualified Names and Canonical Names</a>
@@ -1519,32 +1536,60 @@ public static Class<?> primitiveToWrapper(final Class<?> cls) {
     }
 
     /**
-     * Converts a class name to a JLS style class name.
+     * Converts and cleans up a class name to a JLS style class name.
      *
      * @param className the class name.
      * @return the converted name.
-     * @throws NullPointerException if the className is null.
+     * @throws NullPointerException     if the className is null.
      * @throws IllegalArgumentException Thrown if the class name represents an array with more dimensions than the JVM supports, 255.
+     * @throws IllegalArgumentException Thrown if the class name length is greater than 65,535.
+     * @see <a href="https://docs.oracle.com/javase/specs/jvms/se25/html/jvms-4.html#jvms-4.4.1">JVM: Array dimension limits in JVM Specification
+     *      CONSTANT_Class_info</a>
+     * @see <a href="https://docs.oracle.com/javase/specs/jls/se25/html/jls-6.html#jls-6.7">JLS: Fully Qualified Names and Canonical Names</a>
+     * @see <a href="https://docs.oracle.com/javase/specs/jls/se25/html/jls-13.html#jls-13.1">JLS: The Form of a Binary</a>
      */
-    private static String toCanonicalName(final String className) {
+    private static String toCleanName(final String className) {
         String canonicalName = StringUtils.deleteWhitespace(className);
         Objects.requireNonNull(canonicalName, "className");
+        if (canonicalName.isEmpty()) {
+            throw new IllegalArgumentException("Class name is empty");
+        }
+        final String encodedArrayOpen = "[";
+        final String encodedClassNameStart = "L";
+        final String encodedClassNameEnd = ";";
+        final boolean encodedName = canonicalName.startsWith(encodedArrayOpen) && canonicalName.endsWith(encodedClassNameEnd);
+        if (encodedName) {
+            final int arrIdx = canonicalName.indexOf(encodedClassNameStart);
+            if (arrIdx > MAX_JVM_ARRAY_DIMENSION) {
+                throw new IllegalArgumentException("Array dimension greater than JVM specification maximum of 255.");
+            }
+            if (arrIdx < 0) {
+                throw new IllegalArgumentException("Expected 'L' after '[' for an array style string.");
+            }
+            final int cnLen = canonicalName.length() - (arrIdx + 2); // account for the ending ';'
+            if (cnLen > MAX_CLASS_NAME_LENGTH) {
+                throw new IllegalArgumentException(String.format("Class name greater than maxium length %,d", MAX_CLASS_NAME_LENGTH));
+            }
+        }
         final String arrayMarker = "[]";
-        int arrayDim = 0;
+        final int arrIdx = canonicalName.indexOf(arrayMarker);
+        // The class name length without array markers.
+        final int cnLen = arrIdx > 0 ? arrIdx : canonicalName.length();
+        if (cnLen > MAX_CLASS_NAME_LENGTH && !encodedName) {
+            throw new IllegalArgumentException(String.format("Class name greater than maxium length %,d", MAX_CLASS_NAME_LENGTH));
+        }
         if (canonicalName.endsWith(arrayMarker)) {
-            final StringBuilder classNameBuffer = new StringBuilder();
-            while (canonicalName.endsWith(arrayMarker)) {
-                if (++arrayDim > MAX_JVM_ARRAY_DIMENSION) {
-                    throw new IllegalArgumentException("Array dimension greater than JVM specification maximum of 255.");
-                }
-                canonicalName = canonicalName.substring(0, canonicalName.length() - 2);
-                classNameBuffer.append("[");
+            final int dims =  (canonicalName.length() - arrIdx) / 2;
+            if (dims > MAX_JVM_ARRAY_DIMENSION) {
+                throw new IllegalArgumentException("Array dimension greater than JVM specification maximum of 255.");
             }
+            final StringBuilder classNameBuffer = new StringBuilder(StringUtils.repeat(encodedArrayOpen, dims));
+            canonicalName = canonicalName.substring(0, arrIdx);
             final String abbreviation = ABBREVIATION_MAP.get(canonicalName);
             if (abbreviation != null) {
                 classNameBuffer.append(abbreviation);
             } else {
-                classNameBuffer.append("L").append(canonicalName).append(";");
+                classNameBuffer.append(encodedClassNameStart).append(canonicalName).append(encodedClassNameEnd);
             }
             canonicalName = classNameBuffer.toString();
         }
diff --git a/src/test/java/org/apache/commons/lang3/ClassUtilsTest.java b/src/test/java/org/apache/commons/lang3/ClassUtilsTest.java
@@ -59,6 +59,8 @@
 @SuppressWarnings("boxing") // JUnit4 does not support primitive equality testing apart from long
 class ClassUtilsTest extends AbstractLangTest {
 
+    private static final int MAX_ARRAY_DIMENSIONS = 255;
+
     private static class CX implements IB, IA, IE {
         // empty
     }
@@ -1229,6 +1231,7 @@ void testGetClassByNormalNameArrays() throws ClassNotFoundException {
         assertEquals(java.util.Map.Entry[].class, ClassUtils.getClass("java.util.Map$Entry[]"));
         assertEquals(java.util.Map.Entry[].class, ClassUtils.getClass("[Ljava.util.Map.Entry;"));
         assertEquals(java.util.Map.Entry[].class, ClassUtils.getClass("[Ljava.util.Map$Entry;"));
+        assertEquals(java.util.Map.Entry[][].class, ClassUtils.getClass("[[Ljava.util.Map$Entry;"));
     }
 
     @Test
@@ -1282,6 +1285,26 @@ void testGetClassInvalidArguments() throws Exception {
         assertGetClassThrowsClassNotFound("hello..world");
     }
 
+    @ParameterizedTest
+    @IntRangeSource(from = 65536, to = 65555)
+    void testGetClassLengthIllegal(final int classNameLength) throws ClassNotFoundException {
+        assertThrows(IllegalArgumentException.class, () -> ClassUtils.getClass(StringUtils.repeat("a", classNameLength)));
+        assertThrows(IllegalArgumentException.class, () -> assertEquals(classNameLength, ClassUtils.getClass(StringUtils.repeat("a.", classNameLength / 2))));
+    }
+
+    @Test
+    void testGetClassLongestCheck() throws ClassNotFoundException {
+        final String maxClassName = StringUtils.repeat("a", 65535);
+        final String maxDimensions = StringUtils.repeat("[]", MAX_ARRAY_DIMENSIONS);
+        final String maxOpens = StringUtils.repeat("[", MAX_ARRAY_DIMENSIONS);
+        assertThrows(ClassNotFoundException.class, () -> ClassUtils.getClass(maxClassName));
+        assertNotNull(ClassUtils.getClass("java.lang.String" + maxDimensions));
+        assertThrows(ClassNotFoundException.class, () -> ClassUtils.getClass(maxClassName + maxDimensions));
+        assertThrows(ClassNotFoundException.class, () -> ClassUtils.getClass(maxOpens + "L" + maxClassName + ";"));
+        // maxOpens + 1
+        assertThrows(IllegalArgumentException.class, () -> ClassUtils.getClass(maxOpens + "[L" + maxClassName + ";"));
+    }
+
     @Test
     void testGetClassRawPrimitives() throws ClassNotFoundException {
         assertEquals(int.class, ClassUtils.getClass("int"));
