Add cel_expression validation to PROTOVALIDATE lint rule (#4284)

stefanvanburen · web-flow · commit d59e05aaebfb · 2026-01-16T14:42:42.000-05:00
[`cel_expression` was added to protovalidate][2] in [v1.1.0][1]. We ought to validate it in the same way that we validate the `cel` field. [1]: https://github.com/bufbuild/protovalidate/releases/tag/v1.1.0 [2]: bufbuild/protovalidate#432
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@
   imports, and sort imports alphabetically.
 - Add LSP document link support.
 - Add LSP folding range support.
+- Update `PROTOVALIDATE` lint rule to support checking `cel_expression` fields for valid CEL.
 
 ## [v1.63.0] - 2026-01-06
 
diff --git a/private/bufpkg/bufcheck/bufcheckserver/internal/buflintvalidate/cel.go b/private/bufpkg/bufcheck/bufcheckserver/internal/buflintvalidate/cel.go
@@ -32,6 +32,10 @@ const (
 	celFieldNumberInFieldRules = 23
 	// https://buf.build/bufbuild/protovalidate/docs/main:buf.validate#buf.validate.MessageRules
 	celFieldNumberInMessageRules = 3
+	// https://buf.build/bufbuild/protovalidate/docs/main:buf.validate#buf.validate.MessageRules
+	celExpressionFieldNumberInMessageRules = 5
+	// https://buf.build/bufbuild/protovalidate/docs/main:buf.validate#buf.validate.FieldRules
+	celExpressionFieldNumberInFieldRules = 29
 )
 
 func checkCELForMessage(
@@ -40,6 +44,9 @@ func checkCELForMessage(
 	messageDescriptor protoreflect.MessageDescriptor,
 	message bufprotosource.Message,
 ) error {
+	if len(messageRules.GetCel()) == 0 && len(messageRules.GetCelExpression()) == 0 {
+		return nil
+	}
 	celEnv, err := cel.NewEnv(
 		cel.Lib(celpv.NewLibrary()),
 	)
@@ -67,7 +74,32 @@ func checkCELForMessage(
 			)
 			add(message, messageRulesOptionLocation, nil, format, args...)
 		},
+		false, // isCELExpression
 	)
+	if len(messageRules.GetCelExpression()) > 0 {
+		celExpressionRules := make([]*validate.Rule, len(messageRules.GetCelExpression()))
+		for i, expr := range messageRules.GetCelExpression() {
+			celExpressionRules[i] = &validate.Rule{
+				Expression: &expr,
+			}
+		}
+		checkCEL(
+			celEnv,
+			celExpressionRules,
+			fmt.Sprintf("message %q", message.Name()),
+			fmt.Sprintf("Message %q", message.Name()),
+			"(buf.validate.message).cel_expression",
+			func(index int, format string, args ...any) {
+				messageRulesOptionLocation := message.OptionExtensionLocation(
+					validate.E_Message,
+					celExpressionFieldNumberInMessageRules,
+					int32(index),
+				)
+				add(message, messageRulesOptionLocation, nil, format, args...)
+			},
+			true, // isCELExpression
+		)
+	}
 	return nil
 }
 
@@ -78,7 +110,7 @@ func checkCELForField(
 	// forItems is true if the CEL rule is defined on a non-repeated field or on each item of a repeated field.
 	forItems bool,
 ) error {
-	if len(fieldRules.GetCel()) == 0 {
+	if len(fieldRules.GetCel()) == 0 && len(fieldRules.GetCelExpression()) == 0 {
 		return nil
 	}
 	celEnv, err := cel.NewEnv(
@@ -109,7 +141,31 @@ func checkCELForField(
 				args...,
 			)
 		},
+		false, // isCELExpression
 	)
+	if len(fieldRules.GetCelExpression()) > 0 {
+		celExpressionRules := make([]*validate.Rule, len(fieldRules.GetCelExpression()))
+		for i, expr := range fieldRules.GetCelExpression() {
+			celExpressionRules[i] = &validate.Rule{
+				Expression: &expr,
+			}
+		}
+		checkCEL(
+			celEnv,
+			celExpressionRules,
+			fmt.Sprintf("field %q", adder.fieldName()),
+			fmt.Sprintf("Field %q", adder.fieldName()),
+			adder.getFieldRuleName(celExpressionFieldNumberInFieldRules),
+			func(index int, format string, args ...any) {
+				adder.addForPathf(
+					[]int32{celExpressionFieldNumberInFieldRules, int32(index)},
+					format,
+					args...,
+				)
+			},
+			true, // isCELExpression
+		)
+	}
 	return nil
 }
 
@@ -121,9 +177,14 @@ func checkCEL(
 	parentNameCapitalized string,
 	celName string,
 	add func(int, string, ...any),
+	isCELExpression bool,
 ) bool {
 	allCelExpressionsCompile := true
 	idToConstraintIndices := make(map[string][]int, len(celRules))
+	expressionField := celName + ".expression"
+	if isCELExpression {
+		expressionField = celName
+	}
 	for i, celConstraint := range celRules {
 		if celID := celConstraint.GetId(); celID != "" {
 			for _, char := range celID {
@@ -147,7 +208,7 @@ func checkCEL(
 			idToConstraintIndices[celID] = append(idToConstraintIndices[celID], i)
 		}
 		if len(strings.TrimSpace(celConstraint.GetExpression())) == 0 {
-			add(i, "%s has an empty %s.expression. Expressions should always be specified.", parentNameCapitalized, celName)
+			add(i, "%s has an empty %s. Expressions should always be specified.", parentNameCapitalized, expressionField)
 			continue
 		}
 		ast, compileIssues := celEnv.Compile(celConstraint.GetExpression())
@@ -168,8 +229,8 @@ func checkCEL(
 		default:
 			add(
 				i,
-				"%s.expression on %s evaluates to a %s, only string and boolean are allowed.",
-				celName,
+				"%s on %s evaluates to a %s, only string and boolean are allowed.",
+				expressionField,
 				parentName,
 				cel.FormatCELType(ast.OutputType()),
 			)
@@ -179,8 +240,8 @@ func checkCEL(
 			for _, parsedIssue := range parseCelIssuesText(compileIssues.Err().Error()) {
 				add(
 					i,
-					"%s.expression on %s fails to compile: %s",
-					celName,
+					"%s on %s fails to compile: %s",
+					expressionField,
 					parentName,
 					parsedIssue,
 				)
diff --git a/private/bufpkg/bufcheck/bufcheckserver/internal/buflintvalidate/predefined_rules.go b/private/bufpkg/bufcheck/bufcheckserver/internal/buflintvalidate/predefined_rules.go
@@ -114,6 +114,7 @@ func checkPredefinedRuleExtension(
 				args...,
 			)
 		},
+		false,
 	)
 	return nil
 }
diff --git a/private/bufpkg/bufcheck/lint_test.go b/private/bufpkg/bufcheck/lint_test.go
@@ -616,6 +616,10 @@ func TestRunProtovalidate(t *testing.T) {
 		bufanalysistesting.NewFileAnnotation(t, "bytes.proto", 31, 5, 31, 45, "PROTOVALIDATE"),
 		bufanalysistesting.NewFileAnnotation(t, "bytes.proto", 43, 5, 43, 65, "PROTOVALIDATE"),
 		bufanalysistesting.NewFileAnnotation(t, "bytes.proto", 46, 45, 46, 106, "PROTOVALIDATE"),
+		bufanalysistesting.NewFileAnnotation(t, "cel_expression.proto", 11, 37, 11, 85, "PROTOVALIDATE"),
+		bufanalysistesting.NewFileAnnotation(t, "cel_expression.proto", 14, 38, 14, 84, "PROTOVALIDATE"),
+		bufanalysistesting.NewFileAnnotation(t, "cel_expression.proto", 19, 5, 19, 53, "PROTOVALIDATE"),
+		bufanalysistesting.NewFileAnnotation(t, "cel_expression.proto", 25, 3, 25, 65, "PROTOVALIDATE"),
 		bufanalysistesting.NewFileAnnotation(t, "cel_field.proto", 10, 37, 14, 4, "PROTOVALIDATE"),
 		bufanalysistesting.NewFileAnnotation(t, "cel_field.proto", 17, 5, 21, 6, "PROTOVALIDATE"),
 		bufanalysistesting.NewFileAnnotation(t, "cel_field.proto", 29, 5, 33, 6, "PROTOVALIDATE"),
diff --git a/private/bufpkg/bufcheck/testdata/lint/protovalidate/proto/cel_expression.proto b/private/bufpkg/bufcheck/testdata/lint/protovalidate/proto/cel_expression.proto
@@ -0,0 +1,26 @@
+syntax = "proto2";
+
+import "buf/validate/validate.proto";
+
+// Test cel_expression validation
+message TestCelExpression {
+  // Valid expression
+  optional string valid_field = 1 [(buf.validate.field).cel_expression = "this.size() > 5"];
+
+  // Invalid expression - type error
+  optional string invalid_type = 2 [(buf.validate.field).cel_expression = "this > 5"];
+
+  // Invalid expression - syntax error
+  optional int32 invalid_syntax = 3 [(buf.validate.field).cel_expression = "this +"];
+
+  // Multiple expressions, some valid, some invalid
+  optional string mixed = 4 [
+    (buf.validate.field).cel_expression = "this.size() > 0",
+    (buf.validate.field).cel_expression = "this * 2"
+  ];
+
+  // Message-level cel_expression
+  optional string foo = 5;
+  option (buf.validate.message).cel_expression = "this.foo.size() > 0";
+  option (buf.validate.message).cel_expression = "this.foo > 5";
+}

Original file line number	Diff line number	Diff line change
`@@ -114,6 +114,7 @@ func checkPredefinedRuleExtension(`
`114`	`114`	`args...,`
`115`	`115`	`)`
`116`	`116`	`},`
	`117`	`+ false,`
`117`	`118`	`)`
`118`	`119`	`return nil`
`119`	`120`	`}`