blob: a7d610ddc22062c537bdc08ee971b1e2054f5ad0 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2022-0978",
"modified": "0001-01-01T00:00:00Z",
"published": "2022-09-13T17:40:16Z",
"aliases": [
"CVE-2022-36085",
"GHSA-f524-rf33-2jjr"
],
"summary": "Protection bypass in github.com/open-policy-agent/opa",
"details": "Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) WithUnsafeBuiltins function, which allows users to provide a set of built-in functions that should be deemed unsafe and rejected by the compiler if encountered in the policy compilation stage.\n\nA bypass of this protection is possible when using the \"with\" keyword to mock a built-in function that isn't taken into account by WithUnsafeBuiltins.",
"affected": [
{
"package": {
"name": "github.com/open-policy-agent/opa",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0.40.0"
},
{
"fixed": "0.44.0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/open-policy-agent/opa/ast",
"symbols": [
"Args.Copy",
"Args.Vars",
"Array.Copy",
"Array.Foreach",
"Array.Iter",
"Array.Until",
"ArrayComprehension.Copy",
"BeforeAfterVisitor.Walk",
"Body.Copy",
"Body.Vars",
"Call.Copy",
"CompileModules",
"CompileModulesWithOpt",
"Compiler.Compile",
"Compiler.GetRulesDynamic",
"Compiler.GetRulesDynamicWithOpts",
"Compiler.PassesTypeCheck",
"Compiler.rewriteWithModifiers",
"ContainsClosures",
"ContainsComprehensions",
"ContainsRefs",
"Copy",
"Every.Copy",
"Every.KeyValueVars",
"Expr.Copy",
"Expr.CopyWithoutTerms",
"Expr.Vars",
"GenericTransformer.Transform",
"GenericVisitor.Walk",
"Head.Copy",
"Head.Vars",
"Import.Copy",
"IsConstant",
"JSON",
"JSONWithOpt",
"Module.Copy",
"Module.UnmarshalJSON",
"MustCompileModules",
"MustCompileModulesWithOpts",
"MustJSON",
"MustParseBody",
"MustParseBodyWithOpts",
"MustParseExpr",
"MustParseImports",
"MustParseModule",
"MustParseModuleWithOpts",
"MustParsePackage",
"MustParseRef",
"MustParseRule",
"MustParseStatement",
"MustParseStatements",
"MustParseTerm",
"NewGraph",
"ObjectComprehension.Copy",
"OutputVarsFromBody",
"OutputVarsFromExpr",
"Package.Copy",
"ParseBody",
"ParseBodyWithOpts",
"ParseExpr",
"ParseImports",
"ParseModule",
"ParseModuleWithOpts",
"ParsePackage",
"ParseRef",
"ParseRule",
"ParseStatement",
"ParseStatements",
"ParseStatementsWithOpts",
"ParseTerm",
"Parser.Parse",
"Pretty",
"QueryContext.Copy",
"Ref.ConstantPrefix",
"Ref.Copy",
"Ref.Dynamic",
"Ref.Extend",
"Ref.OutputVars",
"Rule.Copy",
"SetComprehension.Copy",
"SomeDecl.Copy",
"Term.Copy",
"Term.Vars",
"Transform",
"TransformComprehensions",
"TransformRefs",
"TransformVars",
"TreeNode.DepthFirst",
"TypeEnv.Get",
"Unify",
"ValueMap.Copy",
"ValueMap.Equal",
"ValueMap.Hash",
"ValueMap.Iter",
"ValueMap.MarshalJSON",
"ValueMap.String",
"ValueToInterface",
"VarVisitor.Walk",
"Walk",
"WalkBeforeAndAfter",
"WalkBodies",
"WalkClosures",
"WalkExprs",
"WalkNodes",
"WalkRefs",
"WalkRules",
"WalkTerms",
"WalkVars",
"WalkWiths",
"With.Copy",
"baseDocEqIndex.AllRules",
"baseDocEqIndex.Build",
"baseDocEqIndex.Lookup",
"bodySafetyTransformer.Visit",
"comprehensionIndexNestedCandidateVisitor.Walk",
"comprehensionIndexRegressionCheckVisitor.Walk",
"isBuiltinRefOrVar",
"metadataParser.Parse",
"object.Copy",
"object.Diff",
"object.Filter",
"object.Foreach",
"object.Intersect",
"object.Iter",
"object.Map",
"object.Merge",
"object.MergeWith",
"object.Until",
"queryCompiler.Compile",
"queryCompiler.checkDeprecatedBuiltins",
"queryCompiler.checkUnsafeBuiltins",
"refChecker.Visit",
"refindices.Sorted",
"refindices.Update",
"rewriteNestedHeadVarLocalTransform.Visit",
"rewriteWithModifier",
"rewriteWithModifiersInBody",
"ruleArgLocalRewriter.Visit",
"ruleWalker.Do",
"set.Copy",
"set.Diff",
"set.Foreach",
"set.Intersect",
"set.Iter",
"set.Map",
"set.Reduce",
"set.Union",
"set.Until",
"trieNode.Do",
"trieNode.Traverse",
"trieTraversalResult.Add",
"typeChecker.CheckBody",
"typeChecker.CheckTypes",
"validateWith",
"validateWithFunctionValue"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr"
},
{
"type": "FIX",
"url": "https://github.com/open-policy-agent/opa/pull/4540"
},
{
"type": "FIX",
"url": "https://github.com/open-policy-agent/opa/pull/4616"
},
{
"type": "FIX",
"url": "https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823"
},
{
"type": "FIX",
"url": "https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8"
},
{
"type": "WEB",
"url": "https://github.com/open-policy-agent/opa/releases/tag/v0.43.1"
}
],
"credits": [
{
"name": "anderseknert@"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0978",
"review_status": "REVIEWED"
}
}