From d24f8e4e86609846cdd1c7dbc98e5d1f2bcf686e Mon Sep 17 00:00:00 2001 From: Kotha Dhakshin <179742818+Dhakshin2007@users.noreply.github.com> Date: Sat, 16 May 2026 18:32:36 +0530 Subject: [PATCH] fix: provide ResultSize for string.format() cost estimate Prior to this fix, the ExtFormatString cost case returned no ResultSize, with the comment "ResultSize not calculated because we can't bound the max size." Since PR #1292 introduced StringsMaxPrecision (defaulting to 100 for v5+), the output size of string.format() is now bounded: each format clause expands an argument by at most maxPrecision + small constant characters. The output is therefore bounded by the format string size plus the sum of argument string sizes. This change computes ResultSize = targetSize + argsSize, enabling downstream cost-tracking expressions (e.g. format output passed to contains(), size(), or string concatenation) to have accurate cost estimates, which is important for enforcing compute limits in security-sensitive CEL evaluation contexts. --- checker/cost.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/checker/cost.go b/checker/cost.go index 086dc40f..048dd764 100644 --- a/checker/cost.go +++ b/checker/cost.go @@ -752,9 +752,9 @@ func (c *coster) functionCost(e ast.Expr, function, overloadID string, target *A // O(n) functions case overloads.ExtFormatString: if target != nil { - // ResultSize not calculated because we can't bound the max size. + // ResultSize is bounded: since precision is capped by StringsMaxPrecision, // the output cannot exceed the format string size plus the sum of // argument string sizes (each numeric arg expands by at most // maxPrecision + fixed overhead characters). return CallEstimate{ - CostEstimate: c.sizeOrUnknown(*target).MultiplyByCostFactor(common.StringTraversalCostFactor).Add(argCostSum())} + targetSz := c.sizeOrUnknown(*target) argsSz := c.sizeOrUnknown(args[0]) resultSize := targetSz.Add(argsSz) return CallEstimate{ CostEstimate: targetSz.MultiplyByCostFactor(common.StringTraversalCostFactor).Add(argCostSum()), ResultSize: &resultSize} } case overloads.StringToBytes: if len(args) == 1 {