Add comprehension nesting limit validator.

PiperOrigin-RevId: 899255266

Author: jnthntatum

validator/BUILD

@@ -182,4 +182,33 @@ cc_test(
     ],
 )
 
+cc_library(
+    name = "comprehension_nesting_validator",
+    srcs = ["comprehension_nesting_validator.cc"],
+    hdrs = ["comprehension_nesting_validator.h"],
+    deps = [
+        ":validator",
+        "//common:expr",
+        "//common:navigable_ast",
+        "@com_google_absl//absl/log:absl_check",
+        "@com_google_absl//absl/strings",
+    ],
+)
+
+cc_test(
+    name = "comprehension_nesting_validator_test",
+    srcs = ["comprehension_nesting_validator_test.cc"],
+    deps = [
+        ":comprehension_nesting_validator",
+        ":validator",
+        "//compiler",
+        "//compiler:compiler_factory",
+        "//compiler:standard_library",
+        "//extensions:bindings_ext",
+        "//internal:testing",
+        "//internal:testing_descriptor_pool",
+        "@com_google_absl//absl/status:statusor",
+    ],
+)
+
 licenses(["notice"])

validator/comprehension_nesting_validator.cc

@@ -0,0 +1,72 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "validator/comprehension_nesting_validator.h"
+
+#include "absl/log/absl_check.h"
+#include "absl/strings/str_cat.h"
+#include "common/expr.h"
+#include "common/navigable_ast.h"
+#include "validator/validator.h"
+
+namespace cel {
+
+namespace {
+
+bool IsEmptyRangeComprehension(const NavigableAstNode& node) {
+  ABSL_DCHECK(node.expr()->has_comprehension_expr());
+  const auto& comp = node.expr()->comprehension_expr();
+  return comp.has_iter_range() && comp.iter_range().has_list_expr() &&
+         comp.iter_range().list_expr().elements().empty();
+}
+
+}  // namespace
+
+Validation ComprehensionNestingLimitValidator(int limit) {
+  return Validation(
+      [limit](ValidationContext& context) -> bool {
+        bool is_valid = true;
+        for (const auto& node :
+             context.navigable_ast().Root().DescendantsPostorder()) {
+          if (node.node_kind() != NodeKind::kComprehension) {
+            continue;
+          }
+          if (IsEmptyRangeComprehension(node)) {
+            continue;
+          }
+
+          int count = 0;
+          const NavigableAstNode* current = &node;
+          while (current != nullptr) {
+            if (current->node_kind() == NodeKind::kComprehension &&
+                !IsEmptyRangeComprehension(*current)) {
+              count++;
+            }
+            current = current->parent();
+          }
+          if (count > limit) {
+            context.ReportErrorAt(
+                node.expr()->id(),
+                absl::StrCat("comprehension nesting level of ", count,
+                             " exceeds limit of ", limit));
+            is_valid = false;
+            break;
+          }
+        }
+        return is_valid;
+      },
+      "cel.validator.comprehension_nesting_limit");
+}
+
+}  // namespace cel

validator/comprehension_nesting_validator.h

@@ -0,0 +1,31 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef THIRD_PARTY_CEL_CPP_VALIDATOR_COMPREHENSION_NESTING_VALIDATOR_H_
+#define THIRD_PARTY_CEL_CPP_VALIDATOR_COMPREHENSION_NESTING_VALIDATOR_H_
+
+#include "validator/validator.h"
+
+namespace cel {
+
+// Returns a `Validation` that checks that comprehensions are not nested beyond
+// the specified limit.
+//
+// Comprehensions with an empty iteration range (e.g. `cel.bind`) do not count
+// towards the nesting limit.
+Validation ComprehensionNestingLimitValidator(int limit);
+
+}  // namespace cel
+
+#endif  // THIRD_PARTY_CEL_CPP_VALIDATOR_COMPREHENSION_NESTING_VALIDATOR_H_

validator/comprehension_nesting_validator_test.cc

@@ -0,0 +1,96 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include "validator/comprehension_nesting_validator.h"
+
+#include <memory>
+#include <string>
+#include <utility>
+
+#include "absl/status/statusor.h"
+#include "compiler/compiler.h"
+#include "compiler/compiler_factory.h"
+#include "compiler/standard_library.h"
+#include "extensions/bindings_ext.h"
+#include "internal/testing.h"
+#include "internal/testing_descriptor_pool.h"
+#include "validator/validator.h"
+
+namespace cel {
+namespace {
+
+using ::testing::HasSubstr;
+
+absl::StatusOr<std::unique_ptr<Compiler>> StdLibCompiler() {
+  CEL_ASSIGN_OR_RETURN(
+      auto builder,
+      NewCompilerBuilder(internal::GetSharedTestingDescriptorPool()));
+  CEL_RETURN_IF_ERROR(builder->AddLibrary(StandardCompilerLibrary()));
+  CEL_RETURN_IF_ERROR(
+      builder->AddLibrary(cel::extensions::BindingsCompilerLibrary()));
+  return builder->Build();
+}
+
+struct TestCase {
+  std::string expression;
+  int limit;
+  bool valid;
+  std::string error_substr = "";
+};
+
+using ComprehensionNestingValidatorTest = testing::TestWithParam<TestCase>;
+
+TEST_P(ComprehensionNestingValidatorTest, Validate) {
+  const auto& test_case = GetParam();
+  Validator validator;
+  validator.AddValidation(ComprehensionNestingLimitValidator(test_case.limit));
+
+  ASSERT_OK_AND_ASSIGN(auto compiler, StdLibCompiler());
+  auto result_or = compiler->Compile(test_case.expression);
+  if (!result_or.ok()) {
+    GTEST_SKIP() << "Expression failed to compile: " << test_case.expression
+                 << " " << result_or.status().message();
+  }
+  auto result = std::move(result_or).value();
+
+  validator.UpdateValidationResult(result);
+
+  EXPECT_EQ(result.IsValid(), test_case.valid)
+      << "Expression: " << test_case.expression
+      << " Limit: " << test_case.limit;
+  if (!test_case.valid) {
+    EXPECT_THAT(result.FormatError(), HasSubstr(test_case.error_substr));
+  }
+}
+
+INSTANTIATE_TEST_SUITE_P(
+    ComprehensionNestingValidatorTest, ComprehensionNestingValidatorTest,
+    testing::Values(
+        TestCase{"[1, 2].all(x, x > 0)", 1, true},
+        TestCase{"[1, 2].all(x, [1, 2].all(y, x > y))", 1, false,
+                 "comprehension nesting level of 2 exceeds limit of 1"},
+        TestCase{"[1, 2].all(x, [1, 2].all(y, x > y))", 2, true},
+        // Empty range comprehension (does not count)
+        TestCase{"[].all(x, [1, 2].all(y, y > 0))", 1, true},
+        TestCase{"cel.bind(x, [1, 2].all(y, y > 0), [1, 2].all(z, z > 0))", 1,
+                 true},
+        // Nested empty range comprehensions
+        TestCase{"[].all(x, [].all(y, true))", 0, true},
+        // Deeply nested mixed
+        TestCase{"[1].all(x, [].all(y, [2].all(z, true)))", 1, false,
+                 "comprehension nesting level of 2 exceeds limit of 1"},
+        TestCase{"[1].all(x, [].all(y, [2].all(z, true)))", 2, true}));
+
+}  // namespace
+}  // namespace cel