From cae5738b85d7e4984733b4770d133bdcf9950e2d Mon Sep 17 00:00:00 2001
From: sikehish <hisham0502@gmail.com>
Date: Mon, 2 Dec 2024 23:11:00 +0530
Subject: [PATCH] to_number : built-in function now rejects "Inf", "Infinity"
 and "NaN" values #7203

Signed-off-by: sikehish <hisham0502@gmail.com>
---
 .../testdata/v1/casts/test-casts-0828.yml     | 90 +++++++++++++++++++
 topdown/casts.go                              | 12 ++-
 2 files changed, 101 insertions(+), 1 deletion(-)
 create mode 100644 test/cases/testdata/v1/casts/test-casts-0828.yml

diff --git a/test/cases/testdata/v1/casts/test-casts-0828.yml b/test/cases/testdata/v1/casts/test-casts-0828.yml
new file mode 100644
index 0000000000..cc666f416f
--- /dev/null
+++ b/test/cases/testdata/v1/casts/test-casts-0828.yml
@@ -0,0 +1,90 @@
+---
+cases:
+  - note: "casts/to_number: nan input"
+    query: data.generated.p = b
+    modules:
+      - |
+        package generated
+
+        p if {
+          to_number("nan", b)
+        }
+    want_error_code: eval_type_error
+    strict_error: true
+  - note: "casts/to_number: inf input"
+    query: data.generated.p = b
+    modules:
+      - |
+        package generated
+
+        p if {
+          to_number("inf", b)
+        }
+    want_error_code: eval_type_error
+    strict_error: true
+  - note: "casts/to_number: -inf input"
+    query: data.generated.p = b
+    modules:
+      - |
+        package generated
+
+        p if {
+          to_number("-inf", b)
+        }
+    want_error_code: eval_type_error
+    strict_error: true
+  - note: "casts/to_number: Infinity input"
+    query: data.generated.p = b
+    modules:
+      - |
+        package generated
+
+        p if {
+          to_number("Infinity", b)
+        }
+    want_error_code: eval_type_error
+    strict_error: true
+  - note: "casts/to_number: -Infinity input"
+    query: data.generated.p = b
+    modules:
+      - |
+        package generated
+
+        p if {
+          to_number("-Infinity", b)
+        }
+    want_error_code: eval_type_error
+    strict_error: true
+  - note: "casts/to_number: -nan input"
+    query: data.generated.p = b
+    modules:
+      - |
+        package generated
+
+        p if {
+          to_number("-nan", b)
+        }
+    want_error_code: eval_type_error
+    strict_error: true
+  - note: "casts/to_number: -NaN input"
+    query: data.generated.p = b
+    modules:
+      - |
+        package generated
+
+        p if {
+          to_number("-NaN", b)
+        }
+    want_error_code: eval_type_error
+    strict_error: true
+  - note: "casts/to_number: iNf input"
+    query: data.generated.p = b
+    modules:
+      - |
+        package generated
+
+        p if {
+          to_number("iNf", b)
+        }
+    want_error_code: eval_type_error
+    strict_error: true
diff --git a/topdown/casts.go b/topdown/casts.go
index 94087d5edb..a381e7380f 100644
--- a/topdown/casts.go
+++ b/topdown/casts.go
@@ -6,6 +6,7 @@ package topdown
 
 import (
 	"strconv"
+	"strings"
 
 	"github.com/open-policy-agent/opa/ast"
 	"github.com/open-policy-agent/opa/topdown/builtins"
@@ -23,7 +24,16 @@ func builtinToNumber(_ BuiltinContext, operands []*ast.Term, iter func(*ast.Term
 	case ast.Number:
 		return iter(ast.NewTerm(a))
 	case ast.String:
-		_, err := strconv.ParseFloat(string(a), 64)
+		strValue := string(a)
+
+		trimmedVal := strings.TrimLeft(strValue, "+-")
+		lowerCaseVal := strings.ToLower(trimmedVal)
+
+		if lowerCaseVal == "inf" || lowerCaseVal == "infinity" || lowerCaseVal == "nan" {
+			return builtins.NewOperandTypeErr(1, operands[0].Value, "valid number string")
+		}
+
+		_, err := strconv.ParseFloat(strValue, 64)
 		if err != nil {
 			return err
 		}