Consider the protobuf.Any invalid if typeUrl.split("/") returns an em…

…pty array. Currently this corner case (discovered by fuzzing) is not considered. The code throws `ArrayIndexOutOfBoundsException` which can escape `protobuf.toString()` method. PiperOrigin-RevId: 550514062
protocolbuffers · Jul 24, 2023 · 004f54a · 004f54a
1 parent 4f6fc33
commit 004f54a
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/java/core/src/main/java/com/google/protobuf/TypeRegistry.java b/java/core/src/main/java/com/google/protobuf/TypeRegistry.java
@@ -82,7 +82,7 @@ public final Descriptor getDescriptorForTypeUrl(String typeUrl)
 
   private static String getTypeName(String typeUrl) throws InvalidProtocolBufferException {
     String[] parts = typeUrl.split("/");
-    if (parts.length == 1) {
+    if (parts.length <= 1) {
       throw new InvalidProtocolBufferException("Invalid type url found: " + typeUrl);
     }
     return parts[parts.length - 1];

diff --git a/java/core/src/test/java/com/google/protobuf/TypeRegistryTest.java b/java/core/src/test/java/com/google/protobuf/TypeRegistryTest.java
@@ -31,6 +31,7 @@
 package com.google.protobuf;
 
 import static com.google.common.truth.Truth.assertThat;
+import static org.junit.Assert.assertThrows;
 
 import com.google.protobuf.Descriptors.Descriptor;
 import protobuf_unittest.UnittestProto;
@@ -41,6 +42,16 @@
 @RunWith(JUnit4.class)
 public final class TypeRegistryTest {
 
+  @Test
+  public void getDescriptorForTypeUrl_throwsExceptionForUnknownTypes() throws Exception {
+    assertThrows(
+        InvalidProtocolBufferException.class,
+        () -> TypeRegistry.getEmptyTypeRegistry().getDescriptorForTypeUrl("UnknownType"));
+    assertThrows(
+        InvalidProtocolBufferException.class,
+        () -> TypeRegistry.getEmptyTypeRegistry().getDescriptorForTypeUrl("///"));
+  }
+
   @Test
   public void findDescriptorByFullName() throws Exception {
     Descriptor descriptor = UnittestProto.TestAllTypes.getDescriptor();