Skip to content

[#712] Fix StringIndexOutOfBoundsException on blank bind rule in ACI#715

Open
vharseko wants to merge 1 commit into
OpenIdentityPlatform:masterfrom
vharseko:features/aci-blank-bindrule
Open

[#712] Fix StringIndexOutOfBoundsException on blank bind rule in ACI#715
vharseko wants to merge 1 commit into
OpenIdentityPlatform:masterfrom
vharseko:features/aci-blank-bindrule

Conversation

@vharseko

@vharseko vharseko commented Jul 6, 2026

Copy link
Copy Markdown
Member

Fixes #712.

Bug

An ACI containing a blank bind rule (only whitespace between the parentheses) crashes Aci.decode with an uncaught java.lang.StringIndexOutOfBoundsException instead of being rejected with an AciException. Reproducer from the issue:

String input = "(version 3.0; acl \"C\"; allow (search)(          ) (userdn=\"ldap:///self\"); )";
Aci.decode(ByteString.valueOfUtf8(input), DN.rootDN());
// java.lang.StringIndexOutOfBoundsException at BindRule.decode(BindRule.java:154)

Root cause

BindRule.decode guards the empty input before trimming:

if (input == null || input.length() == 0) { return null; }
String bindruleStr = input.trim();
char firstChar = bindruleStr.charAt(0);   // crashes here

Decoding ( ) recurses into BindRule.decode(" ") (the parentheses stripped). The whitespace string has length 10, so it passes the length() == 0 guard; input.trim() then yields "", and charAt(0) on the empty string throws an unchecked StringIndexOutOfBoundsException. Being a RuntimeException, it escapes the aci-value validation paths instead of producing a clean decode error.

Fix

Trim first, then treat a blank (all-whitespace) bind rule as empty and return null — matching the original author's intent for empty input. The outer decode then rejects the malformed ACI with AciException(WARN_ACI_SYNTAX_INVALID_BIND_RULE_SYNTAX).

This is the same class of defect as #666 (StackOverflowError on repetitive targets) and #676 (ArrayIndexOutOfBoundsException on truncated percent-encoding): a malformed ACI must yield AciException, never an unchecked runtime exception. Consistent with #676, the defect is fixed at the parsing source rather than swallowed by a broad catch.

Tests

  • New AciBodyTest.decodeBlankBindRuleThrowsAciException — the exact reproducer from the issue expects AciException.
  • AciBodyTest passes locally (mvn -pl opendj-server-legacy test -Dtest=AciBodyTest): 8 tests, 0 failures.

…nk bind rule in ACI

BindRule.decode checked the input length before trimming, so an all-whitespace
bind rule such as "(          )" passed the empty-input guard and then crashed
on charAt(0) of the trimmed-empty string with an unchecked
StringIndexOutOfBoundsException instead of a clean AciException.

Trim first, then treat a blank bind rule as empty (return null) so the
malformed ACI is rejected with AciException. New AciBodyTest reproducer from
the issue asserts the blank bind rule is rejected with AciException.
@vharseko vharseko requested a review from maximthomas July 6, 2026 11:02
@vharseko vharseko added bug ACI Access Control Instructions subsystem labels Jul 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ACI Access Control Instructions subsystem bug

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Missing validation for blank bind rule in ACI

2 participants