Restrict eval() to standard Casbin expressions for cross-platform compatibility

[Copilot]

The eval() function was directly executing aviatorscript, allowing platform-specific syntax (seq.list(), string.startsWith(), math.abs()) that breaks portability across Casbin implementations and exposes operations beyond specification.

Changes

Core Validation

• Added ExpressionEvaluator with regex-based validation blocking aviatorscript-specific features
• Pattern is case-insensitive to prevent bypasses (SEQ.list, String.StartsWith)
• Integrated validation into EvalFunc.call() with sanitized error logging

Allowed Operations

• Property access: r.sub.age, r.obj.owner
• Standard operators: ==, &&, ||, >, <, +, -, *, /
• Registered functions: keyMatch(), regexMatch(), custom functions

Blocked Operations

• Namespace calls: seq.*, string.*, math.*
• Control flow: fn, lambda, let, for, while
• Object instantiation: new, import

Migration Example

// Before (aviatorscript-specific, non-portable)
p, include(seq.list('admin', 'moderator'), r.sub.role), /data, read

// After (standard Casbin, cross-platform)
p, r.sub.role == 'admin' || r.sub.role == 'moderator', /data, read

Testing

• 205 tests pass (201 existing + 4 new integration tests)
• EvalCrossPlatformTest validates exact issue scenarios
• CodeQL: 0 alerts
• Full backward compatibility: existing standard expressions unchanged

Documentation

Added docs/ExpressionEvaluator.md covering allowed syntax, security improvements, and migration patterns.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Issues with Inconsistent eval() Function Implementation and Non-Standard Expression Syntax in jcasbin</issue_title>
<issue_description>Problem Description

The current implementation of eval() function in jcasbin based on aviatorscript rule engine leads to the following core issues:

Cross-Platform Incompatibility:

    The syntax used in jcasbin's eval expressions (e.g., seq.list(), string.startsWith() ,string.endsWith(), include(seq.list(),xx), etc.) cannot be directly used in Casbin implementations on other language platforms (Go, Node.js, Python, etc.)

    Different Casbin implementations on various platforms require their own corresponding syntax, breaking the "write once, run anywhere" design philosophy

Non-Standard Expression Syntax:

    The current expression syntax is not part of Casbin's standard specification

    Users need to learn aviatorscript-specific syntax rather than a unified Casbin expression syntax

    Example: seq.list("A", "B") needs to be changed to ["A", "B"] on other platforms

Exposure of Features Beyond Casbin Specification:

    Due to the aviatorscript foundation, the eval function can execute operations not officially supported by Casbin but available in aviatorscript

    This may lead to security issues and unpredictable behavior

    Reduces policy portability between different Casbin implementations</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Issues with Inconsistent eval() Function Implementation and Non-Standard Expression Syntax in jcasbin #464

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[codecov-commenter]

Codecov Report

❌ Patch coverage is 80.00000% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.39%. Comparing base (1229948) to head (f07d781).

Files with missing lines	Patch %	Lines
...ava/org/casbin/jcasbin/util/function/EvalFunc.java	40.00%	3 Missing ⚠️
...a/org/casbin/jcasbin/util/ExpressionEvaluator.java	93.33%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #468      +/-   ##
==========================================
+ Coverage   67.31%   67.39%   +0.08%     
==========================================
  Files          60       61       +1     
  Lines        3004     3024      +20     
  Branches      559      562       +3     
==========================================
+ Hits         2022     2038      +16     
- Misses        802      806       +4     
  Partials      180      180              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.