{"id":"GO-2022-0978","summary":"Protection bypass in github.com/open-policy-agent/opa","details":"Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) WithUnsafeBuiltins function, which allows users to provide a set of built-in functions that should be deemed unsafe and rejected by the compiler if encountered in the policy compilation stage.\n\nA bypass of this protection is possible when using the \"with\" keyword to mock a built-in function that isn't taken into account by WithUnsafeBuiltins.","aliases":["CVE-2022-36085","GHSA-f524-rf33-2jjr"],"modified":"2024-05-20T16:03:47Z","published":"2022-09-13T17:40:16Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2022-0978","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr"},{"type":"FIX","url":"https://github.com/open-policy-agent/opa/pull/4540"},{"type":"FIX","url":"https://github.com/open-policy-agent/opa/pull/4616"},{"type":"FIX","url":"https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823"},{"type":"FIX","url":"https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8"},{"type":"WEB","url":"https://github.com/open-policy-agent/opa/releases/tag/v0.43.1"}],"affected":[{"package":{"name":"github.com/open-policy-agent/opa","ecosystem":"Go","purl":"pkg:golang/github.com/open-policy-agent/opa"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.40.0"},{"fixed":"0.44.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["Args.Copy","Args.Vars","Array.Copy","Array.Foreach","Array.Iter","Array.Until","ArrayComprehension.Copy","BeforeAfterVisitor.Walk","Body.Copy","Body.Vars","Call.Copy","CompileModules","CompileModulesWithOpt","Compiler.Compile","Compiler.GetRulesDynamic","Compiler.GetRulesDynamicWithOpts","Compiler.PassesTypeCheck","Compiler.rewriteWithModifiers","ContainsClosures","ContainsComprehensions","ContainsRefs","Copy","Every.Copy","Every.KeyValueVars","Expr.Copy","Expr.CopyWithoutTerms","Expr.Vars","GenericTransformer.Transform","GenericVisitor.Walk","Head.Copy","Head.Vars","Import.Copy","IsConstant","JSON","JSONWithOpt","Module.Copy","Module.UnmarshalJSON","MustCompileModules","MustCompileModulesWithOpts","MustJSON","MustParseBody","MustParseBodyWithOpts","MustParseExpr","MustParseImports","MustParseModule","MustParseModuleWithOpts","MustParsePackage","MustParseRef","MustParseRule","MustParseStatement","MustParseStatements","MustParseTerm","NewGraph","ObjectComprehension.Copy","OutputVarsFromBody","OutputVarsFromExpr","Package.Copy","ParseBody","ParseBodyWithOpts","ParseExpr","ParseImports","ParseModule","ParseModuleWithOpts","ParsePackage","ParseRef","ParseRule","ParseStatement","ParseStatements","ParseStatementsWithOpts","ParseTerm","Parser.Parse","Pretty","QueryContext.Copy","Ref.ConstantPrefix","Ref.Copy","Ref.Dynamic","Ref.Extend","Ref.OutputVars","Rule.Copy","SetComprehension.Copy","SomeDecl.Copy","Term.Copy","Term.Vars","Transform","TransformComprehensions","TransformRefs","TransformVars","TreeNode.DepthFirst","TypeEnv.Get","Unify","ValueMap.Copy","ValueMap.Equal","ValueMap.Hash","ValueMap.Iter","ValueMap.MarshalJSON","ValueMap.String","ValueToInterface","VarVisitor.Walk","Walk","WalkBeforeAndAfter","WalkBodies","WalkClosures","WalkExprs","WalkNodes","WalkRefs","WalkRules","WalkTerms","WalkVars","WalkWiths","With.Copy","baseDocEqIndex.AllRules","baseDocEqIndex.Build","baseDocEqIndex.Lookup","bodySafetyTransformer.Visit","comprehensionIndexNestedCandidateVisitor.Walk","comprehensionIndexRegressionCheckVisitor.Walk","isBuiltinRefOrVar","metadataParser.Parse","object.Copy","object.Diff","object.Filter","object.Foreach","object.Intersect","object.Iter","object.Map","object.Merge","object.MergeWith","object.Until","queryCompiler.Compile","queryCompiler.checkDeprecatedBuiltins","queryCompiler.checkUnsafeBuiltins","refChecker.Visit","refindices.Sorted","refindices.Update","rewriteNestedHeadVarLocalTransform.Visit","rewriteWithModifier","rewriteWithModifiersInBody","ruleArgLocalRewriter.Visit","ruleWalker.Do","set.Copy","set.Diff","set.Foreach","set.Intersect","set.Iter","set.Map","set.Reduce","set.Union","set.Until","trieNode.Do","trieNode.Traverse","trieTraversalResult.Add","typeChecker.CheckBody","typeChecker.CheckTypes","validateWith","validateWithFunctionValue"],"path":"github.com/open-policy-agent/opa/ast"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0978.json"}}],"schema_version":"1.7.3","credits":[{"name":"anderseknert@"}]}