Reject invalid unicode literals in the parser

l46kok · copybara-github · commit 7b6b934483a4 · 2026-04-02T11:56:40.000-07:00
PiperOrigin-RevId: 893620376
diff --git a/common/src/main/java/dev/cel/common/internal/Constants.java b/common/src/main/java/dev/cel/common/internal/Constants.java
@@ -207,6 +207,9 @@ private static <T> void decodeString(
             continue;
           }
           skipNewline = false;
+          if (codePoint >= MIN_SURROGATE && codePoint <= MAX_SURROGATE) {
+            throw new ParseException("Invalid unicode code point", seqOffset);
+          }
           buffer.appendCodePoint(codePoint);
         } else {
           // Normalize '\r' and '\r\n' to '\n'.
@@ -231,6 +234,9 @@ private static <T> void decodeString(
           // For raw literals, all escapes are valid and those characters come through literally in
           // the string.
           buffer.appendCodePoint('\\');
+          if (codePoint >= MIN_SURROGATE && codePoint <= MAX_SURROGATE) {
+            throw new ParseException("Invalid unicode code point", seqOffset);
+          }
           buffer.appendCodePoint(codePoint);
           continue;
         }
diff --git a/parser/src/test/java/dev/cel/parser/CelParserParameterizedTest.java b/parser/src/test/java/dev/cel/parser/CelParserParameterizedTest.java
@@ -247,7 +247,12 @@ public void parser_errors() {
     runTest(PARSER, "1.exists(2, 3)");
     runTest(PARSER, "1 + +");
     runTest(PARSER, "\"\\xFh\"");
+    runTest(PARSER, "\"\\uD800\"");
+    runTest(PARSER, "\"\\uDFFF\"");
+    runTest(PARSER, "\"\\U0000D800\"");
+    runTest(PARSER, "\"\\U0000DFFF\"");
     runTest(PARSER, "\"\\a\\b\\f\\n\\r\\t\\v\\'\\\"\\\\\\? Illegal escape \\>\"");
+
     runTest(PARSER, "as");
     runTest(PARSER, "break");
     runTest(PARSER, "const");
diff --git a/parser/src/test/resources/parser_errors.baseline b/parser/src/test/resources/parser_errors.baseline
@@ -73,6 +73,30 @@ ERROR: <input>:1:7: mismatched input '<EOF>' expecting {'[', '{', '(', '.', '-',
  | "\xFh"
  | ......^
 
+I: "\uD800"
+=====>
+E: ERROR: <input>:1:1: Invalid unicode code point
+ | "\uD800"
+ | ^
+
+I: "\uDFFF"
+=====>
+E: ERROR: <input>:1:1: Invalid unicode code point
+ | "\uDFFF"
+ | ^
+
+I: "\U0000D800"
+=====>
+E: ERROR: <input>:1:1: Invalid unicode code point
+ | "\U0000D800"
+ | ^
+
+I: "\U0000DFFF"
+=====>
+E: ERROR: <input>:1:1: Invalid unicode code point
+ | "\U0000DFFF"
+ | ^
+
 I: "\a\b\f\n\r\t\v\'\"\\\? Illegal escape \>"
 =====>
 E: ERROR: <input>:1:1: token recognition error at: '"\a\b\f\n\r\t\v\'\"\\\? Illegal escape \>'
@@ -344,4 +368,4 @@ ERROR: <input>:1:6: unsupported syntax '`'
  | .....^
 ERROR: <input>:1:9: missing ')' at '<EOF>'
  | has(.`.`
- | ........^
+ | ........^
