cel: add string extensions support in CEL expressions (envoyproxy#40510)

## Description

This PR adds support for CEL to expose string manipulation functions
like `lowerAscii()` etc. in HTTP filters.

Fix envoyproxy#39307

---

**Commit Message:** cel: add string extensions support in CEL
expressions
**Additional Description:** Added support for exposing string
manipulation functions in CEL expressions.
**Risk Level:** Low
**Testing:** Added Unit + Integration Tests
**Docs Changes:** Added
**Release Notes:** Added

---------

Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>

Author: agrawroh

api/envoy/config/core/v3/cel.proto

@@ -0,0 +1,63 @@
+syntax = "proto3";
+
+package envoy.config.core.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.config.core.v3";
+option java_outer_classname = "CelProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: CEL Expression Configuration]
+
+// CEL expression evaluation configuration.
+// These options control the behavior of the Common Expression Language runtime for
+// individual CEL expressions.
+message CelExpressionConfig {
+  // Enable string conversion functions for CEL expressions. When enabled, CEL expressions
+  // can convert values to strings using the ``string()`` function.
+  //
+  // .. attention::
+  //
+  //   This option is disabled by default to avoid unbounded memory allocation.
+  //   CEL evaluation cost is typically bounded by the expression size, but converting
+  //   arbitrary values (e.g., large messages, lists, or maps) to strings may allocate
+  //   memory proportional to input data size, which can be unbounded and lead to
+  //   memory exhaustion.
+  bool enable_string_conversion = 1;
+
+  // Enable string concatenation for CEL expressions. When enabled, CEL expressions
+  // can concatenate strings using the ``+`` operator.
+  //
+  // .. attention::
+  //
+  //   This option is disabled by default to avoid unbounded memory allocation.
+  //   While CEL normally bounds evaluation by expression size, enabling string
+  //   concatenation allows building outputs whose size depends on input data,
+  //   potentially causing large intermediate allocations and memory exhaustion.
+  bool enable_string_concat = 2;
+
+  // Enable string manipulation functions for CEL expressions. When enabled, CEL
+  // expressions can use additional string functions:
+  //
+  // * ``replace(old, new)`` - Replaces all occurrences of ``old`` with ``new``.
+  // * ``split(separator)`` - Splits a string into a list of substrings.
+  // * ``lowerAscii()`` - Converts ASCII characters to lowercase.
+  // * ``upperAscii()`` - Converts ASCII characters to uppercase.
+  //
+  // .. note::
+  //
+  //   Standard CEL string functions like ``contains()``, ``startsWith()``, and
+  //   ``endsWith()`` are always available regardless of this setting.
+  //
+  // .. attention::
+  //
+  //   This option is disabled by default to avoid unbounded memory allocation.
+  //   Although CEL generally bounds evaluation by expression size, functions such as
+  //   ``replace``, ``split``, ``lowerAscii()``, and ``upperAscii()`` can allocate memory
+  //   proportional to input data size. Under adversarial inputs this can lead to
+  //   unbounded allocations and memory exhaustion.
+  bool enable_string_functions = 3;
+}

api/envoy/config/rbac/v3/rbac.proto

@@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.config.rbac.v3;
 
 import "envoy/config/core/v3/address.proto";
+import "envoy/config/core/v3/cel.proto";
 import "envoy/config/core/v3/extension.proto";
 import "envoy/config/route/v3/route_components.proto";
 import "envoy/type/matcher/v3/filter_state.proto";
@@ -173,6 +174,7 @@ message RBAC {
 // A policy matches if and only if at least one of its permissions match the
 // action taking place AND at least one of its principals match the downstream
 // AND the condition is true if specified.
+// [#next-free-field: 6]
 message Policy {
   option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Policy";
 
@@ -199,6 +201,12 @@ message Policy {
   // Only be used when condition is not used.
   google.api.expr.v1alpha1.CheckedExpr checked_condition = 4
       [(udpa.annotations.field_migrate).oneof_promotion = "expression_specifier"];
+
+  // CEL expression configuration that modifies the evaluation behavior of the ``condition`` field.
+  // If specified, string conversion, concatenation, and manipulation functions may be enabled
+  // for the CEL expression. See :ref:`CelExpressionConfig <envoy_v3_api_msg_config.core.v3.CelExpressionConfig>`
+  // for more details.
+  core.v3.CelExpressionConfig cel_config = 5;
 }
 
 // SourcedMetadata enables matching against metadata from different sources in the request processing

api/envoy/extensions/access_loggers/filters/cel/v3/BUILD

@@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2
 
 api_proto_package(
-    deps = ["@com_github_cncf_xds//udpa/annotations:pkg"],
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "@com_github_cncf_xds//udpa/annotations:pkg",
+    ],
 )

api/envoy/extensions/access_loggers/filters/cel/v3/cel.proto

@@ -2,6 +2,8 @@ syntax = "proto3";
 
 package envoy.extensions.access_loggers.filters.cel.v3;
 
+import "envoy/config/core/v3/cel.proto";
+
 import "udpa/annotations/status.proto";
 
 option java_package = "io.envoyproxy.envoy.extensions.access_loggers.filters.cel.v3";
@@ -25,4 +27,10 @@ message ExpressionFilter {
   // * ``response.code >= 400``
   // * ``(connection.mtls && request.headers['x-log-mtls'] == 'true') || request.url_path.contains('v1beta3')``
   string expression = 1;
+
+  // CEL expression configuration that modifies the evaluation behavior of the ``expression`` field.
+  // If specified, string conversion, concatenation, and manipulation functions may be enabled
+  // for the filter expression. See :ref:`CelExpressionConfig <envoy_v3_api_msg_config.core.v3.CelExpressionConfig>`
+  // for more details.
+  config.core.v3.CelExpressionConfig cel_config = 2;
 }

changelogs/current.yaml

@@ -105,6 +105,12 @@ new_features:
   change: |
     Added support for not-equal operator for access log filter rules, in
     :ref:`ComparisonFilter <envoy_v3_api_msg_config.accesslog.v3.ComparisonFilter>`.
+- area: cel
+  change: |
+    Added per-expression configuration options for CEL evaluator to control string conversion, concatenation,
+    and string extension functions. CEL expressions in RBAC policies and access logger filters
+    can now enable string functions such as ``replace()`` and ``split()`` through the new ``cel_config`` field
+    in their respective configurations.
 - area: formatter
   change: |
     Added support for the following new access log formatters:

docs/root/api-v3/common_messages/common_messages.rst

@@ -10,6 +10,7 @@ Common messages
   ../service/discovery/v3/discovery.proto
   ../extensions/filters/common/fault/v3/fault.proto
   ../config/core/v3/base.proto
+  ../config/core/v3/cel.proto
   ../extensions/filters/common/matcher/action/v3/skip_action.proto
   ../extensions/matching/common_inputs/network/v3/network_inputs.proto
   ../extensions/common/ratelimit/v3/ratelimit.proto

source/extensions/access_loggers/filters/cel/config.cc

@@ -32,10 +32,15 @@ Envoy::AccessLog::FilterPtr CELAccessLogExtensionFilterFactory::createFilter(
                          parse_status.status().ToString());
   }
 
-  return std::make_unique<CELAccessLogExtensionFilter>(
-      context.serverFactoryContext().localInfo(),
-      Extensions::Filters::Common::Expr::getBuilder(context.serverFactoryContext()),
-      parse_status.value().expr());
+  // Use the CEL configuration from the filter if available.
+  auto config_ref = cel_config.has_cel_config()
+                        ? Envoy::makeOptRef(cel_config.cel_config())
+                        : Envoy::OptRef<const envoy::config::core::v3::CelExpressionConfig>{};
+  auto builder =
+      Extensions::Filters::Common::Expr::getBuilder(context.serverFactoryContext(), config_ref);
+
+  return std::make_unique<CELAccessLogExtensionFilter>(context.serverFactoryContext().localInfo(),
+                                                       builder, parse_status.value().expr());
 #else
   throw EnvoyException("CEL is not available for use in this environment.");
 #endif

source/extensions/filters/common/expr/BUILD

@@ -26,6 +26,8 @@ envoy_cc_library(
         "@com_google_cel_cpp//eval/public:cel_expression",
         "@com_google_cel_cpp//eval/public:cel_value",
         "@com_google_cel_cpp//extensions:regex_functions",
+        "@com_google_cel_cpp//extensions:strings",
+        "@envoy_api//envoy/config/core/v3:pkg_cc_proto",
     ],
 )
 

source/extensions/filters/common/expr/evaluator.cc

@@ -3,9 +3,11 @@
 #include "envoy/common/exception.h"
 #include "envoy/singleton/manager.h"
 
+#include "source/common/protobuf/utility.h"
 #include "source/common/runtime/runtime_features.h"
 
 #include "extensions/regex_functions.h"
+#include "extensions/strings.h"
 
 #include "cel/expr/syntax.pb.h"
 #include "eval/public/builtin_func_registrar.h"
@@ -101,25 +103,35 @@ ActivationPtr createActivation(const LocalInfo::LocalInfo* local_info,
                                             response_trailers);
 }
 
-BuilderInstanceSharedPtr createBuilder(Protobuf::Arena* arena) {
+BuilderConstPtr createBuilder(OptRef<const envoy::config::core::v3::CelExpressionConfig> config,
+                              Protobuf::Arena* arena) {
   ASSERT_IS_MAIN_OR_TEST_THREAD();
   google::api::expr::runtime::InterpreterOptions options;
 
-  // Security-oriented defaults
+  // Security-oriented defaults.
   options.enable_comprehension = false;
   options.enable_regex = true;
   options.regex_max_program_size = 100;
   options.enable_qualified_identifier_rewrites = true;
-  options.enable_string_conversion = false;
-  options.enable_string_concat = false;
+
+  // Resolve options from configuration or fall back to security-oriented defaults.
+  bool enable_string_functions = false;
+  if (config.has_value()) {
+    options.enable_string_conversion = config->enable_string_conversion();
+    options.enable_string_concat = config->enable_string_concat();
+    enable_string_functions = config->enable_string_functions();
+  } else {
+    options.enable_string_conversion = false;
+    options.enable_string_concat = false;
+  }
   options.enable_list_concat = false;
 
-  // Performance-oriented defaults
+  // Performance-oriented defaults.
   if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.enable_cel_regex_precompilation")) {
     options.enable_regex_precompilation = true;
   }
 
-  // Enable constant folding (performance optimization)
+  // Enable constant folding with arena if provided for RBAC backward compatibility optimization.
   if (arena != nullptr) {
     options.constant_folding = true;
     options.constant_arena = arena;
@@ -138,14 +150,61 @@ BuilderInstanceSharedPtr createBuilder(Protobuf::Arena* arena) {
     throw CelException(absl::StrCat("failed to register extension regex functions: ",
                                     ext_register_status.message()));
   }
-  return std::make_shared<BuilderInstance>(std::move(builder));
+  // Register string extension functions only if enabled in configuration.
+  if (enable_string_functions) {
+    auto string_register_status =
+        cel::extensions::RegisterStringsFunctions(builder->GetRegistry(), options);
+    if (!string_register_status.ok()) {
+      throw CelException(absl::StrCat("failed to register extension string functions: ",
+                                      string_register_status.message()));
+    }
+  }
+  return builder;
+}
+
+BuilderInstanceSharedConstPtr BuilderCache::getOrCreateBuilder(
+    OptRef<const envoy::config::core::v3::CelExpressionConfig> config) {
+  ASSERT_IS_MAIN_OR_TEST_THREAD();
+
+  ConfigHash hash = 0;
+  if (config.has_value()) {
+    // Use MessageUtil::hash for proto hashing.
+    hash = MessageUtil::hash(config.ref());
+  }
+
+  auto it = builders_.find(hash);
+  if (it != builders_.end()) {
+    auto locked_builder = it->second.lock();
+    if (locked_builder) {
+      return locked_builder;
+    }
+  }
+
+  // Create new builder with the configuration.
+  auto builder = createBuilder(config);
+  auto instance = std::make_shared<BuilderInstance>(std::move(builder), shared_from_this());
+  // Store as weak_ptr to allow release after xDS unload.
+  builders_[hash] = instance;
+  return instance;
 }
 
-SINGLETON_MANAGER_REGISTRATION(expression_builder);
+SINGLETON_MANAGER_REGISTRATION(builder_cache);
+
+BuilderInstanceSharedConstPtr
+getBuilder(Server::Configuration::CommonFactoryContext& context,
+           OptRef<const envoy::config::core::v3::CelExpressionConfig> config) {
+  auto cache = context.singletonManager().getTyped<BuilderCache>(
+      SINGLETON_MANAGER_REGISTERED_NAME(builder_cache),
+      [] { return std::make_shared<BuilderCache>(); });
+  return cache->getOrCreateBuilder(config);
+}
 
-BuilderInstanceSharedConstPtr getBuilder(Server::Configuration::CommonFactoryContext& context) {
-  return context.singletonManager().getTyped<BuilderInstance>(
-      SINGLETON_MANAGER_REGISTERED_NAME(expression_builder), [] { return createBuilder(nullptr); });
+absl::StatusOr<CompiledExpression>
+CompiledExpression::Create(Server::Configuration::CommonFactoryContext& context,
+                           const cel::expr::Expr& expr,
+                           OptRef<const envoy::config::core::v3::CelExpressionConfig> config) {
+  auto builder = getBuilder(context, config);
+  return Create(builder, expr);
 }
 
 absl::StatusOr<CompiledExpression>
@@ -165,13 +224,13 @@ CompiledExpression::Create(const BuilderInstanceSharedConstPtr& builder,
 absl::StatusOr<CompiledExpression>
 CompiledExpression::Create(const BuilderInstanceSharedConstPtr& builder,
                            const xds::type::v3::CelExpression& xds_expr) {
-  // First try to get expression from the new CEL canonical format
+  // First try to get expression from the new CEL canonical format.
   if (xds_expr.has_cel_expr_checked()) {
     return Create(builder, xds_expr.cel_expr_checked().expr());
   } else if (xds_expr.has_cel_expr_parsed()) {
     return Create(builder, xds_expr.cel_expr_parsed().expr());
   }
-  // Fallback to handling legacy formats for backward compatibility
+  // Fallback to handling legacy formats for backward compatibility.
   switch (xds_expr.expr_specifier_case()) {
   case xds::type::v3::CelExpression::ExprSpecifierCase::kParsedExpr:
     return Create(builder, xds_expr.parsed_expr().expr());