From 93e2447ba2f81a3b3345ae974160225f267c3342 Mon Sep 17 00:00:00 2001
From: Jason Cameron <git@jasoncameron.dev>
Date: Fri, 23 May 2025 18:14:31 -0400
Subject: [PATCH] fix(expression): add validation for empty expression list in
 CEL (#545)

* fix(expression): add validation for empty ExpressionOrList

Signed-off-by: Jason Cameron <git@jasoncameron.dev>

* fix(imports): block empty file imports with improved error checking logic

Signed-off-by: Jason Cameron <git@jasoncameron.dev>

* docs(expression): improve validation to error on empty CEL expressions

Signed-off-by: Jason Cameron <git@jasoncameron.dev>

---------

Signed-off-by: Jason Cameron <git@jasoncameron.dev>
---
 docs/docs/CHANGELOG.md                     | 1 +
 lib/policy/config/config.go                | 2 +-
 lib/policy/config/expressionorlist.go      | 3 +++
 lib/policy/config/expressionorlist_test.go | 7 +++++++
 4 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md
index bd2150d..512007e 100644
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -29,6 +29,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added Qualys SSL Labs whitelist policy
 - Fixed cookie deletion logic ([#520](https://github.com/TecharoHQ/anubis/issues/520), [#522](https://github.com/TecharoHQ/anubis/pull/522))
 - Add `--target-sni` flag/envvar to allow changing the value of the TLS handshake hostname in requests forwarded to the target service.
+- Fixed CEL expression matching validator to now properly error out when it receives empty expressions 
 
 ## v1.18.0: Varis zos Galvus
 
diff --git a/lib/policy/config/config.go b/lib/policy/config/config.go
index 4b6f643..7daa0b4 100644
--- a/lib/policy/config/config.go
+++ b/lib/policy/config/config.go
@@ -224,7 +224,7 @@ func (is *ImportStatement) open() (fs.File, error) {
 func (is *ImportStatement) load() error {
 	fin, err := is.open()
 	if err != nil {
-		return fmt.Errorf("can't open %s: %w", is.Import, err)
+		return fmt.Errorf("%w: %s: %w", ErrInvalidImportStatement, is.Import, err)
 	}
 	defer fin.Close()
 
diff --git a/lib/policy/config/expressionorlist.go b/lib/policy/config/expressionorlist.go
index 7b07a35..7088c8d 100644
--- a/lib/policy/config/expressionorlist.go
+++ b/lib/policy/config/expressionorlist.go
@@ -54,6 +54,9 @@ func (eol *ExpressionOrList) UnmarshalJSON(data []byte) error {
 }
 
 func (eol *ExpressionOrList) Valid() error {
+	if eol.Expression == "" && len(eol.All) == 0 && len(eol.Any) == 0 {
+		return ErrExpressionEmpty
+	}
 	if len(eol.All) != 0 && len(eol.Any) != 0 {
 		return ErrExpressionCantHaveBoth
 	}
diff --git a/lib/policy/config/expressionorlist_test.go b/lib/policy/config/expressionorlist_test.go
index 880effe..dbdda2d 100644
--- a/lib/policy/config/expressionorlist_test.go
+++ b/lib/policy/config/expressionorlist_test.go
@@ -51,6 +51,13 @@ func TestExpressionOrListUnmarshal(t *testing.T) {
 			}`,
 			validErr: ErrExpressionCantHaveBoth,
 		},
+		{
+			name: "expression-empty",
+			inp: `{
+			"any": []
+			}`,
+			validErr: ErrExpressionEmpty,
+		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
 			var eol ExpressionOrList