GO-2022-0978
- Source
- https://pkg.go.dev/vuln/GO-2022-0978
- Import Source
- https://vuln.go.dev/ID/GO-2022-0978.json
- Aliases
- Published
- 2022-09-13T17:40:16Z
- Modified
- 2023-12-14T15:52:23Z
- Details
-
Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) WithUnsafeBuiltins function, which allows users to provide a set of built-in functions that should be deemed unsafe and rejected by the compiler if encountered in the policy compilation stage.
A bypass of this protection is possible when using the "with" keyword to mock a built-in function that isn't taken into account by WithUnsafeBuiltins.
- References
-
- https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr
- https://github.com/open-policy-agent/opa/pull/4540
- https://github.com/open-policy-agent/opa/pull/4616
- https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823
- https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8
- https://github.com/open-policy-agent/opa/releases/tag/v0.43.1
Affected packages
Go / github.com/open-policy-agent/opa
Package
Ecosystem specific
{
"imports": [
{
"path": "github.com/open-policy-agent/opa/ast",
"symbols": [
"Args.Copy",
"Args.Vars",
"Array.Copy",
"Array.Foreach",
"Array.Iter",
"Array.Until",
"ArrayComprehension.Copy",
"BeforeAfterVisitor.Walk",
"Body.Copy",
"Body.Vars",
"Call.Copy",
"CompileModules",
"CompileModulesWithOpt",
"Compiler.Compile",
"Compiler.GetRulesDynamic",
"Compiler.GetRulesDynamicWithOpts",
"Compiler.PassesTypeCheck",
"Compiler.rewriteWithModifiers",
"ContainsClosures",
"ContainsComprehensions",
"ContainsRefs",
"Copy",
"Every.Copy",
"Every.KeyValueVars",
"Expr.Copy",
"Expr.CopyWithoutTerms",
"Expr.Vars",
"GenericTransformer.Transform",
"GenericVisitor.Walk",
"Head.Copy",
"Head.Vars",
"Import.Copy",
"IsConstant",
"JSON",
"JSONWithOpt",
"Module.Copy",
"Module.UnmarshalJSON",
"MustCompileModules",
"MustCompileModulesWithOpts",
"MustJSON",
"MustParseBody",
"MustParseBodyWithOpts",
"MustParseExpr",
"MustParseImports",
"MustParseModule",
"MustParseModuleWithOpts",
"MustParsePackage",
"MustParseRef",
"MustParseRule",
"MustParseStatement",
"MustParseStatements",
"MustParseTerm",
"NewGraph",
"ObjectComprehension.Copy",
"OutputVarsFromBody",
"OutputVarsFromExpr",
"Package.Copy",
"ParseBody",
"ParseBodyWithOpts",
"ParseExpr",
"ParseImports",
"ParseModule",
"ParseModuleWithOpts",
"ParsePackage",
"ParseRef",
"ParseRule",
"ParseStatement",
"ParseStatements",
"ParseStatementsWithOpts",
"ParseTerm",
"Parser.Parse",
"Pretty",
"QueryContext.Copy",
"Ref.ConstantPrefix",
"Ref.Copy",
"Ref.Dynamic",
"Ref.Extend",
"Ref.OutputVars",
"Rule.Copy",
"SetComprehension.Copy",
"SomeDecl.Copy",
"Term.Copy",
"Term.Vars",
"Transform",
"TransformComprehensions",
"TransformRefs",
"TransformVars",
"TreeNode.DepthFirst",
"TypeEnv.Get",
"Unify",
"ValueMap.Copy",
"ValueMap.Equal",
"ValueMap.Hash",
"ValueMap.Iter",
"ValueMap.MarshalJSON",
"ValueMap.String",
"ValueToInterface",
"VarVisitor.Walk",
"Walk",
"WalkBeforeAndAfter",
"WalkBodies",
"WalkClosures",
"WalkExprs",
"WalkNodes",
"WalkRefs",
"WalkRules",
"WalkTerms",
"WalkVars",
"WalkWiths",
"With.Copy",
"baseDocEqIndex.AllRules",
"baseDocEqIndex.Build",
"baseDocEqIndex.Lookup",
"bodySafetyTransformer.Visit",
"comprehensionIndexNestedCandidateVisitor.Walk",
"comprehensionIndexRegressionCheckVisitor.Walk",
"isBuiltinRefOrVar",
"metadataParser.Parse",
"object.Copy",
"object.Diff",
"object.Filter",
"object.Foreach",
"object.Intersect",
"object.Iter",
"object.Map",
"object.Merge",
"object.MergeWith",
"object.Until",
"queryCompiler.Compile",
"queryCompiler.checkDeprecatedBuiltins",
"queryCompiler.checkUnsafeBuiltins",
"refChecker.Visit",
"refindices.Sorted",
"refindices.Update",
"rewriteNestedHeadVarLocalTransform.Visit",
"rewriteWithModifier",
"rewriteWithModifiersInBody",
"ruleArgLocalRewriter.Visit",
"ruleWalker.Do",
"set.Copy",
"set.Diff",
"set.Foreach",
"set.Intersect",
"set.Iter",
"set.Map",
"set.Reduce",
"set.Union",
"set.Until",
"trieNode.Do",
"trieNode.Traverse",
"trieTraversalResult.Add",
"typeChecker.CheckBody",
"typeChecker.CheckTypes",
"validateWith",
"validateWithFunctionValue"
]
}
]
}