GO-2022-0978

See a problem?
Please try reporting it to the source first.
Source
https://pkg.go.dev/vuln/GO-2022-0978
Import Source
https://vuln.go.dev/ID/GO-2022-0978.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2022-0978
Aliases
Published
2022-09-13T17:40:16Z
Modified
2024-05-20T16:03:47Z
Summary
Protection bypass in github.com/open-policy-agent/opa
Details

Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) WithUnsafeBuiltins function, which allows users to provide a set of built-in functions that should be deemed unsafe and rejected by the compiler if encountered in the policy compilation stage.

A bypass of this protection is possible when using the "with" keyword to mock a built-in function that isn't taken into account by WithUnsafeBuiltins.

Database specific 
{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0978"
}
References
Credits
    • anderseknert@

Affected packages

Go / github.com/open-policy-agent/opa

Package

Name
github.com/open-policy-agent/opa
View open source insights on deps.dev
Purl
pkg:golang/github.com/open-policy-agent/opa

Affected ranges

Type
SEMVER
Events
Introduced
0.40.0
Fixed
0.44.0

Ecosystem specific 

{
    "imports": [
        {
            "symbols": [
                "Args.Copy",
                "Args.Vars",
                "Array.Copy",
                "Array.Foreach",
                "Array.Iter",
                "Array.Until",
                "ArrayComprehension.Copy",
                "BeforeAfterVisitor.Walk",
                "Body.Copy",
                "Body.Vars",
                "Call.Copy",
                "CompileModules",
                "CompileModulesWithOpt",
                "Compiler.Compile",
                "Compiler.GetRulesDynamic",
                "Compiler.GetRulesDynamicWithOpts",
                "Compiler.PassesTypeCheck",
                "Compiler.rewriteWithModifiers",
                "ContainsClosures",
                "ContainsComprehensions",
                "ContainsRefs",
                "Copy",
                "Every.Copy",
                "Every.KeyValueVars",
                "Expr.Copy",
                "Expr.CopyWithoutTerms",
                "Expr.Vars",
                "GenericTransformer.Transform",
                "GenericVisitor.Walk",
                "Head.Copy",
                "Head.Vars",
                "Import.Copy",
                "IsConstant",
                "JSON",
                "JSONWithOpt",
                "Module.Copy",
                "Module.UnmarshalJSON",
                "MustCompileModules",
                "MustCompileModulesWithOpts",
                "MustJSON",
                "MustParseBody",
                "MustParseBodyWithOpts",
                "MustParseExpr",
                "MustParseImports",
                "MustParseModule",
                "MustParseModuleWithOpts",
                "MustParsePackage",
                "MustParseRef",
                "MustParseRule",
                "MustParseStatement",
                "MustParseStatements",
                "MustParseTerm",
                "NewGraph",
                "ObjectComprehension.Copy",
                "OutputVarsFromBody",
                "OutputVarsFromExpr",
                "Package.Copy",
                "ParseBody",
                "ParseBodyWithOpts",
                "ParseExpr",
                "ParseImports",
                "ParseModule",
                "ParseModuleWithOpts",
                "ParsePackage",
                "ParseRef",
                "ParseRule",
                "ParseStatement",
                "ParseStatements",
                "ParseStatementsWithOpts",
                "ParseTerm",
                "Parser.Parse",
                "Pretty",
                "QueryContext.Copy",
                "Ref.ConstantPrefix",
                "Ref.Copy",
                "Ref.Dynamic",
                "Ref.Extend",
                "Ref.OutputVars",
                "Rule.Copy",
                "SetComprehension.Copy",
                "SomeDecl.Copy",
                "Term.Copy",
                "Term.Vars",
                "Transform",
                "TransformComprehensions",
                "TransformRefs",
                "TransformVars",
                "TreeNode.DepthFirst",
                "TypeEnv.Get",
                "Unify",
                "ValueMap.Copy",
                "ValueMap.Equal",
                "ValueMap.Hash",
                "ValueMap.Iter",
                "ValueMap.MarshalJSON",
                "ValueMap.String",
                "ValueToInterface",
                "VarVisitor.Walk",
                "Walk",
                "WalkBeforeAndAfter",
                "WalkBodies",
                "WalkClosures",
                "WalkExprs",
                "WalkNodes",
                "WalkRefs",
                "WalkRules",
                "WalkTerms",
                "WalkVars",
                "WalkWiths",
                "With.Copy",
                "baseDocEqIndex.AllRules",
                "baseDocEqIndex.Build",
                "baseDocEqIndex.Lookup",
                "bodySafetyTransformer.Visit",
                "comprehensionIndexNestedCandidateVisitor.Walk",
                "comprehensionIndexRegressionCheckVisitor.Walk",
                "isBuiltinRefOrVar",
                "metadataParser.Parse",
                "object.Copy",
                "object.Diff",
                "object.Filter",
                "object.Foreach",
                "object.Intersect",
                "object.Iter",
                "object.Map",
                "object.Merge",
                "object.MergeWith",
                "object.Until",
                "queryCompiler.Compile",
                "queryCompiler.checkDeprecatedBuiltins",
                "queryCompiler.checkUnsafeBuiltins",
                "refChecker.Visit",
                "refindices.Sorted",
                "refindices.Update",
                "rewriteNestedHeadVarLocalTransform.Visit",
                "rewriteWithModifier",
                "rewriteWithModifiersInBody",
                "ruleArgLocalRewriter.Visit",
                "ruleWalker.Do",
                "set.Copy",
                "set.Diff",
                "set.Foreach",
                "set.Intersect",
                "set.Iter",
                "set.Map",
                "set.Reduce",
                "set.Union",
                "set.Until",
                "trieNode.Do",
                "trieNode.Traverse",
                "trieTraversalResult.Add",
                "typeChecker.CheckBody",
                "typeChecker.CheckTypes",
                "validateWith",
                "validateWithFunctionValue"
            ],
            "path": "github.com/open-policy-agent/opa/ast"
        }
    ]
}