| { |
| "schema_version": "1.3.1", |
| "id": "GO-2022-0978", |
| "modified": "0001-01-01T00:00:00Z", |
| "published": "2022-09-13T17:40:16Z", |
| "aliases": [ |
| "CVE-2022-36085", |
| "GHSA-f524-rf33-2jjr" |
| ], |
| "summary": "Protection bypass in github.com/open-policy-agent/opa", |
| "details": "Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) WithUnsafeBuiltins function, which allows users to provide a set of built-in functions that should be deemed unsafe and rejected by the compiler if encountered in the policy compilation stage.\n\nA bypass of this protection is possible when using the \"with\" keyword to mock a built-in function that isn't taken into account by WithUnsafeBuiltins.", |
| "affected": [ |
| { |
| "package": { |
| "name": "github.com/open-policy-agent/opa", |
| "ecosystem": "Go" |
| }, |
| "ranges": [ |
| { |
| "type": "SEMVER", |
| "events": [ |
| { |
| "introduced": "0.40.0" |
| }, |
| { |
| "fixed": "0.44.0" |
| } |
| ] |
| } |
| ], |
| "ecosystem_specific": { |
| "imports": [ |
| { |
| "path": "github.com/open-policy-agent/opa/ast", |
| "symbols": [ |
| "Args.Copy", |
| "Args.Vars", |
| "Array.Copy", |
| "Array.Foreach", |
| "Array.Iter", |
| "Array.Until", |
| "ArrayComprehension.Copy", |
| "BeforeAfterVisitor.Walk", |
| "Body.Copy", |
| "Body.Vars", |
| "Call.Copy", |
| "CompileModules", |
| "CompileModulesWithOpt", |
| "Compiler.Compile", |
| "Compiler.GetRulesDynamic", |
| "Compiler.GetRulesDynamicWithOpts", |
| "Compiler.PassesTypeCheck", |
| "Compiler.rewriteWithModifiers", |
| "ContainsClosures", |
| "ContainsComprehensions", |
| "ContainsRefs", |
| "Copy", |
| "Every.Copy", |
| "Every.KeyValueVars", |
| "Expr.Copy", |
| "Expr.CopyWithoutTerms", |
| "Expr.Vars", |
| "GenericTransformer.Transform", |
| "GenericVisitor.Walk", |
| "Head.Copy", |
| "Head.Vars", |
| "Import.Copy", |
| "IsConstant", |
| "JSON", |
| "JSONWithOpt", |
| "Module.Copy", |
| "Module.UnmarshalJSON", |
| "MustCompileModules", |
| "MustCompileModulesWithOpts", |
| "MustJSON", |
| "MustParseBody", |
| "MustParseBodyWithOpts", |
| "MustParseExpr", |
| "MustParseImports", |
| "MustParseModule", |
| "MustParseModuleWithOpts", |
| "MustParsePackage", |
| "MustParseRef", |
| "MustParseRule", |
| "MustParseStatement", |
| "MustParseStatements", |
| "MustParseTerm", |
| "NewGraph", |
| "ObjectComprehension.Copy", |
| "OutputVarsFromBody", |
| "OutputVarsFromExpr", |
| "Package.Copy", |
| "ParseBody", |
| "ParseBodyWithOpts", |
| "ParseExpr", |
| "ParseImports", |
| "ParseModule", |
| "ParseModuleWithOpts", |
| "ParsePackage", |
| "ParseRef", |
| "ParseRule", |
| "ParseStatement", |
| "ParseStatements", |
| "ParseStatementsWithOpts", |
| "ParseTerm", |
| "Parser.Parse", |
| "Pretty", |
| "QueryContext.Copy", |
| "Ref.ConstantPrefix", |
| "Ref.Copy", |
| "Ref.Dynamic", |
| "Ref.Extend", |
| "Ref.OutputVars", |
| "Rule.Copy", |
| "SetComprehension.Copy", |
| "SomeDecl.Copy", |
| "Term.Copy", |
| "Term.Vars", |
| "Transform", |
| "TransformComprehensions", |
| "TransformRefs", |
| "TransformVars", |
| "TreeNode.DepthFirst", |
| "TypeEnv.Get", |
| "Unify", |
| "ValueMap.Copy", |
| "ValueMap.Equal", |
| "ValueMap.Hash", |
| "ValueMap.Iter", |
| "ValueMap.MarshalJSON", |
| "ValueMap.String", |
| "ValueToInterface", |
| "VarVisitor.Walk", |
| "Walk", |
| "WalkBeforeAndAfter", |
| "WalkBodies", |
| "WalkClosures", |
| "WalkExprs", |
| "WalkNodes", |
| "WalkRefs", |
| "WalkRules", |
| "WalkTerms", |
| "WalkVars", |
| "WalkWiths", |
| "With.Copy", |
| "baseDocEqIndex.AllRules", |
| "baseDocEqIndex.Build", |
| "baseDocEqIndex.Lookup", |
| "bodySafetyTransformer.Visit", |
| "comprehensionIndexNestedCandidateVisitor.Walk", |
| "comprehensionIndexRegressionCheckVisitor.Walk", |
| "isBuiltinRefOrVar", |
| "metadataParser.Parse", |
| "object.Copy", |
| "object.Diff", |
| "object.Filter", |
| "object.Foreach", |
| "object.Intersect", |
| "object.Iter", |
| "object.Map", |
| "object.Merge", |
| "object.MergeWith", |
| "object.Until", |
| "queryCompiler.Compile", |
| "queryCompiler.checkDeprecatedBuiltins", |
| "queryCompiler.checkUnsafeBuiltins", |
| "refChecker.Visit", |
| "refindices.Sorted", |
| "refindices.Update", |
| "rewriteNestedHeadVarLocalTransform.Visit", |
| "rewriteWithModifier", |
| "rewriteWithModifiersInBody", |
| "ruleArgLocalRewriter.Visit", |
| "ruleWalker.Do", |
| "set.Copy", |
| "set.Diff", |
| "set.Foreach", |
| "set.Intersect", |
| "set.Iter", |
| "set.Map", |
| "set.Reduce", |
| "set.Union", |
| "set.Until", |
| "trieNode.Do", |
| "trieNode.Traverse", |
| "trieTraversalResult.Add", |
| "typeChecker.CheckBody", |
| "typeChecker.CheckTypes", |
| "validateWith", |
| "validateWithFunctionValue" |
| ] |
| } |
| ] |
| } |
| } |
| ], |
| "references": [ |
| { |
| "type": "ADVISORY", |
| "url": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/open-policy-agent/opa/pull/4540" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/open-policy-agent/opa/pull/4616" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823" |
| }, |
| { |
| "type": "FIX", |
| "url": "https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8" |
| }, |
| { |
| "type": "WEB", |
| "url": "https://github.com/open-policy-agent/opa/releases/tag/v0.43.1" |
| } |
| ], |
| "credits": [ |
| { |
| "name": "anderseknert@" |
| } |
| ], |
| "database_specific": { |
| "url": "https://pkg.go.dev/vuln/GO-2022-0978", |
| "review_status": "REVIEWED" |
| } |
| } |