fix(evaluators): budget R8 -- reject NaN/Inf limit_usd in config validation

amabito · amabito · commit 96e59ba8bce3 · 2026-03-21T10:01:14.000+09:00
R8 finding: float("nan") passed the `v &lt;= 0` validator (IEEE 754:
nan &lt;= 0 is False). NaN limit_usd silently disabled budget enforcement
because all NaN comparisons return False.

Fix: added math.isfinite(v) guard to validate_limit_usd.
Tests: NaN and Inf limit_usd rejection.

61 budget tests, 291 total evaluator tests passing.
diff --git a/evaluators/builtin/src/agent_control_evaluators/budget/config.py b/evaluators/builtin/src/agent_control_evaluators/budget/config.py
@@ -2,6 +2,7 @@
 
 from __future__ import annotations
 
+import math
 from typing import Any, Literal
 
 from pydantic import Field, field_validator, model_validator
@@ -43,8 +44,8 @@ def at_least_one_limit(self) -> "BudgetLimitRule":
     @field_validator("limit_usd")
     @classmethod
     def validate_limit_usd(cls, v: float | None) -> float | None:
-        if v is not None and v <= 0:
-            raise ValueError("limit_usd must be positive")
+        if v is not None and (not math.isfinite(v) or v <= 0):
+            raise ValueError("limit_usd must be a finite positive number")
         return v
 
     @field_validator("limit_tokens")
diff --git a/evaluators/builtin/tests/budget/test_budget.py b/evaluators/builtin/tests/budget/test_budget.py
@@ -220,6 +220,22 @@ def test_negative_limit_rejected(self) -> None:
         with pytest.raises(ValidationError, match="positive"):
             BudgetLimitRule(limit_usd=-1.0)
 
+    def test_nan_limit_usd_rejected(self) -> None:
+        """float('nan') passes v <= 0 check but must still be rejected.
+
+        IEEE 754: nan <= 0 is False, so without an explicit isfinite guard,
+        nan silently passes validation. A nan limit_usd causes utilization=nan
+        and exceeded=False always (all nan comparisons are False), permanently
+        disabling the budget limit -- a silent security bypass.
+        """
+        with pytest.raises(ValidationError, match="finite"):
+            BudgetLimitRule(limit_usd=float("nan"))
+
+    def test_inf_limit_usd_rejected(self) -> None:
+        """float('inf') limit is accepted by v <= 0 but means limit never triggers."""
+        with pytest.raises(ValidationError, match="finite"):
+            BudgetLimitRule(limit_usd=float("inf"))
+
     def test_token_only_limit(self) -> None:
         rule = BudgetLimitRule(limit_tokens=1000)
         assert rule.limit_usd is None
