Add RegexPatternValidator.

PiperOrigin-RevId: 895515443

Author: jnthntatum

common/ast/BUILD

@@ -98,10 +98,13 @@ cc_library(
     deps = [
         "//common:constant",
         "//common:expr",
+        "@com_google_absl//absl/base:core_headers",
         "@com_google_absl//absl/base:no_destructor",
         "@com_google_absl//absl/base:nullability",
         "@com_google_absl//absl/container:flat_hash_map",
         "@com_google_absl//absl/functional:overload",
+        "@com_google_absl//absl/log:absl_check",
+        "@com_google_absl//absl/strings",
         "@com_google_absl//absl/types:optional",
         "@com_google_absl//absl/types:variant",
     ],

common/ast/metadata.cc

@@ -14,11 +14,18 @@
 
 #include "common/ast/metadata.h"
 
+#include <cstddef>
 #include <memory>
+#include <string>
+#include <utility>
+#include <variant>
 #include <vector>
 
 #include "absl/base/no_destructor.h"
+#include "absl/base/nullability.h"
 #include "absl/functional/overload.h"
+#include "absl/log/absl_check.h"
+#include "absl/strings/str_cat.h"
 #include "absl/types/variant.h"
 
 namespace cel {
@@ -30,6 +37,96 @@ const TypeSpec& DefaultTypeSpec() {
   return *type;
 }
 
+std::string FormatPrimitive(PrimitiveType t) {
+  switch (t) {
+    case PrimitiveType::kBool:
+      return "bool";
+    case PrimitiveType::kInt64:
+      return "int";
+    case PrimitiveType::kUint64:
+      return "uint";
+    case PrimitiveType::kDouble:
+      return "double";
+    case PrimitiveType::kString:
+      return "string";
+    case PrimitiveType::kBytes:
+      return "bytes";
+    default:
+      return "*unspecified primitive*";
+  }
+}
+
+std::string FormatWellKnown(WellKnownTypeSpec t) {
+  switch (t) {
+    case WellKnownTypeSpec::kAny:
+      return "google.protobuf.Any";
+    case WellKnownTypeSpec::kDuration:
+      return "google.protobuf.Duration";
+    case WellKnownTypeSpec::kTimestamp:
+      return "google.protobuf.Timestamp";
+    default:
+      return "*unspecified well known*";
+  }
+}
+
+using FormatIns = std::variant<const TypeSpec* absl_nonnull, std::string>;
+using FormatStack = std::vector<FormatIns>;
+
+void HandleFormatTypeSpec(const TypeSpec& t, FormatStack& stack,
+                          std::string* out) {
+  if (t.has_dyn()) {
+    absl::StrAppend(out, "dyn");
+  } else if (t.has_null()) {
+    absl::StrAppend(out, "null");
+  } else if (t.has_primitive()) {
+    absl::StrAppend(out, FormatPrimitive(t.primitive()));
+  } else if (t.has_wrapper()) {
+    absl::StrAppend(out, "wrapper(", FormatPrimitive(t.wrapper()), ")");
+  } else if (t.has_well_known()) {
+    absl::StrAppend(out, FormatWellKnown(t.well_known()));
+    return;
+  } else if (t.has_abstract_type()) {
+    const auto& abs_type = t.abstract_type();
+    if (abs_type.parameter_types().empty()) {
+      absl::StrAppend(out, abs_type.name());
+      return;
+    }
+    absl::StrAppend(out, abs_type.name(), "(");
+    stack.push_back(")");
+    for (size_t i = abs_type.parameter_types().size(); i > 0; --i) {
+      stack.push_back(&abs_type.parameter_types()[i - 1]);
+      if (i > 1) {
+        stack.push_back(", ");
+      }
+    }
+
+  } else if (t.has_type()) {
+    if (t.type() == TypeSpec()) {
+      absl::StrAppend(out, "type");
+      return;
+    }
+    absl::StrAppend(out, "type(");
+    stack.push_back(")");
+    stack.push_back(&t.type());
+  } else if (t.has_message_type()) {
+    absl::StrAppend(out, t.message_type().type());
+  } else if (t.has_type_param()) {
+    absl::StrAppend(out, t.type_param().type());
+  } else if (t.has_list_type()) {
+    absl::StrAppend(out, "list(");
+    stack.push_back(")");
+    stack.push_back(&t.list_type().elem_type());
+  } else if (t.has_map_type()) {
+    absl::StrAppend(out, "map(");
+    stack.push_back(")");
+    stack.push_back(&t.map_type().value_type());
+    stack.push_back(", ");
+    stack.push_back(&t.map_type().key_type());
+  } else {
+    absl::StrAppend(out, "*error*");
+  }
+}
+
 TypeSpecKind CopyImpl(const TypeSpecKind& other) {
   return absl::visit(
       absl::Overload(
@@ -142,4 +239,24 @@ FunctionTypeSpec& FunctionTypeSpec::operator=(const FunctionTypeSpec& other) {
   return *this;
 }
 
+std::string FormatTypeSpec(const TypeSpec& t) {
+  // Use a stack to avoid recursion.
+  // Probably overly defensive, but fuzzers will often notice the recursion
+  // and try to trigger it.
+  std::string out;
+  FormatStack seq;
+  seq.push_back(&t);
+  while (!seq.empty()) {
+    FormatIns ins = std::move(seq.back());
+    seq.pop_back();
+    if (std::holds_alternative<std::string>(ins)) {
+      absl::StrAppend(&out, std::get<std::string>(ins));
+      continue;
+    }
+    ABSL_DCHECK(std::holds_alternative<const TypeSpec*>(ins));
+    HandleFormatTypeSpec(*std::get<const TypeSpec*>(ins), seq, &out);
+  }
+  return out;
+}
+
 }  // namespace cel

common/ast/metadata.h

@@ -740,6 +740,9 @@ class TypeSpec {
   TypeSpecKind type_kind_;
 };
 
+// Returns a string representation of the given TypeSpec.
+std::string FormatTypeSpec(const TypeSpec& t);
+
 // Describes a resolved reference to a declaration.
 class Reference {
  public:

compiler/BUILD

@@ -27,6 +27,7 @@ cc_library(
         "//checker:validation_result",
         "//parser:options",
         "//parser:parser_interface",
+        "//validator",
         "@com_google_absl//absl/status",
         "@com_google_absl//absl/status:statusor",
         "@com_google_absl//absl/strings:string_view",
@@ -48,6 +49,7 @@ cc_library(
         "//internal:status_macros",
         "//parser",
         "//parser:parser_interface",
+        "//validator",
         "@com_google_absl//absl/base:nullability",
         "@com_google_absl//absl/container:flat_hash_set",
         "@com_google_absl//absl/status",
@@ -78,6 +80,7 @@ cc_test(
         "//parser:macro",
         "//parser:parser_interface",
         "//testutil:baseline_tests",
+        "//validator:timestamp_literal_validator",
         "@com_google_absl//absl/status",
         "@com_google_absl//absl/status:status_matchers",
         "@com_google_absl//absl/strings",

compiler/compiler.h

@@ -28,6 +28,7 @@
 #include "checker/validation_result.h"
 #include "parser/options.h"
 #include "parser/parser_interface.h"
+#include "validator/validator.h"
 
 namespace cel {
 
@@ -109,6 +110,7 @@ class CompilerBuilder {
 
   virtual TypeCheckerBuilder& GetCheckerBuilder() = 0;
   virtual ParserBuilder& GetParserBuilder() = 0;
+  virtual Validator& GetValidator() = 0;
 
   virtual absl::StatusOr<std::unique_ptr<Compiler>> Build() = 0;
 };
@@ -135,6 +137,9 @@ class Compiler {
 
   // Accessor for the underlying parser.
   virtual const Parser& GetParser() const = 0;
+
+  // Accessor for the underlying validator.
+  virtual const Validator& GetValidator() const = 0;
 };
 
 }  // namespace cel

compiler/compiler_factory.cc

@@ -32,6 +32,7 @@
 #include "internal/status_macros.h"
 #include "parser/parser.h"
 #include "parser/parser_interface.h"
+#include "validator/validator.h"
 #include "google/protobuf/descriptor.h"
 
 namespace cel {
@@ -41,8 +42,12 @@ namespace {
 class CompilerImpl : public Compiler {
  public:
   CompilerImpl(std::unique_ptr<TypeChecker> type_checker,
-               std::unique_ptr<Parser> parser)
-      : type_checker_(std::move(type_checker)), parser_(std::move(parser)) {}
+               std::unique_ptr<Parser> parser,
+               // Copy the validator in case builder is reused.
+               Validator validator)
+      : type_checker_(std::move(type_checker)),
+        parser_(std::move(parser)),
+        validator_(std::move(validator)) {}
 
   absl::StatusOr<ValidationResult> Compile(
       absl::string_view expression,
@@ -54,15 +59,20 @@ class CompilerImpl : public Compiler {
                          type_checker_->Check(std::move(ast)));
 
     result.SetSource(std::move(source));
+    if (!validator_.validations().empty()) {
+      validator_.UpdateValidationResult(result);
+    }
     return result;
   }
 
   const TypeChecker& GetTypeChecker() const override { return *type_checker_; }
   const Parser& GetParser() const override { return *parser_; }
+  const Validator& GetValidator() const override { return validator_; }
 
  private:
   std::unique_ptr<TypeChecker> type_checker_;
   std::unique_ptr<Parser> parser_;
+  Validator validator_;
 };
 
 class CompilerBuilderImpl : public CompilerBuilder {
@@ -126,17 +136,19 @@ class CompilerBuilderImpl : public CompilerBuilder {
   TypeCheckerBuilder& GetCheckerBuilder() override {
     return *type_checker_builder_;
   }
+  Validator& GetValidator() override { return validator_; }
 
   absl::StatusOr<std::unique_ptr<Compiler>> Build() override {
     CEL_ASSIGN_OR_RETURN(auto parser, parser_builder_->Build());
     CEL_ASSIGN_OR_RETURN(auto type_checker, type_checker_builder_->Build());
     return std::make_unique<CompilerImpl>(std::move(type_checker),
-                                          std::move(parser));
+                                          std::move(parser), validator_);
   }
 
  private:
   std::unique_ptr<TypeCheckerBuilder> type_checker_builder_;
   std::unique_ptr<ParserBuilder> parser_builder_;
+  Validator validator_;
 
   absl::flat_hash_set<std::string> library_ids_;
   absl::flat_hash_set<std::string> subsets_;

compiler/compiler_factory_test.cc

@@ -35,6 +35,7 @@
 #include "parser/macro.h"
 #include "parser/parser_interface.h"
 #include "testutil/baseline_tests.h"
+#include "validator/timestamp_literal_validator.h"
 #include "google/protobuf/descriptor.h"
 
 namespace cel {
@@ -287,6 +288,23 @@ TEST(CompilerFactoryTest, DisableStandardMacrosWithStdlib) {
   EXPECT_TRUE(result.IsValid());
 }
 
+TEST(CompilerFactoryTest, AddValidator) {
+  ASSERT_OK_AND_ASSIGN(
+      auto builder,
+      NewCompilerBuilder(cel::internal::GetSharedTestingDescriptorPool()));
+
+  ASSERT_THAT(builder->AddLibrary(StandardCompilerLibrary()), IsOk());
+  builder->GetValidator().AddValidation(TimestampLiteralValidator());
+
+  ASSERT_OK_AND_ASSIGN(auto compiler, builder->Build());
+  ASSERT_OK_AND_ASSIGN(ValidationResult result,
+                       compiler->Compile("timestamp('invalid')"));
+  EXPECT_FALSE(result.IsValid());
+  ASSERT_OK_AND_ASSIGN(result,
+                       compiler->Compile("timestamp('2024-01-01T00:00:00Z')"));
+  EXPECT_TRUE(result.IsValid());
+}
+
 TEST(CompilerFactoryTest, FailsIfLibraryAddedTwice) {
   ASSERT_OK_AND_ASSIGN(
       auto builder,

extensions/BUILD

@@ -774,6 +774,8 @@ cc_library(
         "//runtime:runtime_builder",
         "//runtime/internal:runtime_friend_access",
         "//runtime/internal:runtime_impl",
+        "//validator",
+        "//validator:regex_validator",
         "@com_google_absl//absl/base:no_destructor",
         "@com_google_absl//absl/base:nullability",
         "@com_google_absl//absl/functional:bind_front",
@@ -814,6 +816,7 @@ cc_test(
         "//runtime:reference_resolver",
         "//runtime:runtime_options",
         "//runtime:standard_runtime_builder_factory",
+        "//validator",
         "@com_google_absl//absl/status",
         "@com_google_absl//absl/status:status_matchers",
         "@com_google_absl//absl/status:statusor",

extensions/regex_ext.cc

@@ -42,6 +42,8 @@
 #include "runtime/internal/runtime_friend_access.h"
 #include "runtime/internal/runtime_impl.h"
 #include "runtime/runtime_builder.h"
+#include "validator/regex_validator.h"
+#include "validator/validator.h"
 #include "google/protobuf/arena.h"
 #include "google/protobuf/descriptor.h"
 #include "google/protobuf/message.h"
@@ -341,4 +343,10 @@ CompilerLibrary RegexExtCompilerLibrary() {
   return CompilerLibrary::FromCheckerLibrary(RegexExtCheckerLibrary());
 }
 
+Validation RegexExtValidator() {
+  return RegexPatternValidator(
+      /*id=*/"",
+      {{"regex.extract", 1}, {"regex.extractAll", 1}, {"regex.replace", 1}});
+}
+
 }  // namespace cel::extensions

extensions/regex_ext.h

@@ -81,6 +81,7 @@
 #include "eval/public/cel_function_registry.h"
 #include "eval/public/cel_options.h"
 #include "runtime/runtime_builder.h"
+#include "validator/validator.h"
 
 namespace cel::extensions {
 
@@ -119,5 +120,12 @@ CheckerLibrary RegexExtCheckerLibrary();
 // regex.extractAll(target: str, pattern: str) -> list<str>
 CompilerLibrary RegexExtCompilerLibrary();
 
+// Returns a `Validation` that checks all calls to the CEL regex extension
+// functions.
+//
+// It validates that if the pattern is a literal string, it is a valid regular
+// expression.
+Validation RegexExtValidator();
+
 }  // namespace cel::extensions
 #endif  // THIRD_PARTY_CEL_CPP_EXTENSIONS_REGEX_EXT_H_