From 004f54af8f014c3e8a65db1b4459cfa70502e3ce Mon Sep 17 00:00:00 2001 From: Protobuf Team Bot Date: Mon, 24 Jul 2023 04:18:56 -0700 Subject: [PATCH] Consider the protobuf.Any invalid if typeUrl.split("/") returns an empty array. Currently this corner case (discovered by fuzzing) is not considered. The code throws `ArrayIndexOutOfBoundsException` which can escape `protobuf.toString()` method. PiperOrigin-RevId: 550514062 --- .../main/java/com/google/protobuf/TypeRegistry.java | 2 +- .../java/com/google/protobuf/TypeRegistryTest.java | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/java/core/src/main/java/com/google/protobuf/TypeRegistry.java b/java/core/src/main/java/com/google/protobuf/TypeRegistry.java index 3a9461f152a6..abf5e3baa2d4 100644 --- a/java/core/src/main/java/com/google/protobuf/TypeRegistry.java +++ b/java/core/src/main/java/com/google/protobuf/TypeRegistry.java @@ -82,7 +82,7 @@ public final Descriptor getDescriptorForTypeUrl(String typeUrl) private static String getTypeName(String typeUrl) throws InvalidProtocolBufferException { String[] parts = typeUrl.split("/"); - if (parts.length == 1) { + if (parts.length <= 1) { throw new InvalidProtocolBufferException("Invalid type url found: " + typeUrl); } return parts[parts.length - 1]; diff --git a/java/core/src/test/java/com/google/protobuf/TypeRegistryTest.java b/java/core/src/test/java/com/google/protobuf/TypeRegistryTest.java index 29ecf9280af4..6015cf2a6e6f 100644 --- a/java/core/src/test/java/com/google/protobuf/TypeRegistryTest.java +++ b/java/core/src/test/java/com/google/protobuf/TypeRegistryTest.java @@ -31,6 +31,7 @@ package com.google.protobuf; import static com.google.common.truth.Truth.assertThat; +import static org.junit.Assert.assertThrows; import com.google.protobuf.Descriptors.Descriptor; import protobuf_unittest.UnittestProto; @@ -41,6 +42,16 @@ @RunWith(JUnit4.class) public final class TypeRegistryTest { + @Test + public void getDescriptorForTypeUrl_throwsExceptionForUnknownTypes() throws Exception { + assertThrows( + InvalidProtocolBufferException.class, + () -> TypeRegistry.getEmptyTypeRegistry().getDescriptorForTypeUrl("UnknownType")); + assertThrows( + InvalidProtocolBufferException.class, + () -> TypeRegistry.getEmptyTypeRegistry().getDescriptorForTypeUrl("///")); + } + @Test public void findDescriptorByFullName() throws Exception { Descriptor descriptor = UnittestProto.TestAllTypes.getDescriptor();