| id: GO-2022-0978 |
| modules: |
| - module: github.com/open-policy-agent/opa |
| versions: |
| - introduced: 0.40.0 |
| - fixed: 0.44.0 |
| vulnerable_at: 0.43.0 |
| packages: |
| - package: github.com/open-policy-agent/opa/ast |
| symbols: |
| - Compiler.rewriteWithModifiers |
| - isBuiltinRefOrVar |
| - queryCompiler.checkDeprecatedBuiltins |
| - queryCompiler.checkUnsafeBuiltins |
| - rewriteWithModifier |
| - rewriteWithModifiersInBody |
| - validateWith |
| - validateWithFunctionValue |
| derived_symbols: |
| - Args.Copy |
| - Args.Vars |
| - Array.Copy |
| - Array.Foreach |
| - Array.Iter |
| - Array.Until |
| - ArrayComprehension.Copy |
| - BeforeAfterVisitor.Walk |
| - Body.Copy |
| - Body.Vars |
| - Call.Copy |
| - CompileModules |
| - CompileModulesWithOpt |
| - Compiler.Compile |
| - Compiler.GetRulesDynamic |
| - Compiler.GetRulesDynamicWithOpts |
| - Compiler.PassesTypeCheck |
| - ContainsClosures |
| - ContainsComprehensions |
| - ContainsRefs |
| - Copy |
| - Every.Copy |
| - Every.KeyValueVars |
| - Expr.Copy |
| - Expr.CopyWithoutTerms |
| - Expr.Vars |
| - GenericTransformer.Transform |
| - GenericVisitor.Walk |
| - Head.Copy |
| - Head.Vars |
| - Import.Copy |
| - IsConstant |
| - JSON |
| - JSONWithOpt |
| - Module.Copy |
| - Module.UnmarshalJSON |
| - MustCompileModules |
| - MustCompileModulesWithOpts |
| - MustJSON |
| - MustParseBody |
| - MustParseBodyWithOpts |
| - MustParseExpr |
| - MustParseImports |
| - MustParseModule |
| - MustParseModuleWithOpts |
| - MustParsePackage |
| - MustParseRef |
| - MustParseRule |
| - MustParseStatement |
| - MustParseStatements |
| - MustParseTerm |
| - NewGraph |
| - ObjectComprehension.Copy |
| - OutputVarsFromBody |
| - OutputVarsFromExpr |
| - Package.Copy |
| - ParseBody |
| - ParseBodyWithOpts |
| - ParseExpr |
| - ParseImports |
| - ParseModule |
| - ParseModuleWithOpts |
| - ParsePackage |
| - ParseRef |
| - ParseRule |
| - ParseStatement |
| - ParseStatements |
| - ParseStatementsWithOpts |
| - ParseTerm |
| - Parser.Parse |
| - Pretty |
| - QueryContext.Copy |
| - Ref.ConstantPrefix |
| - Ref.Copy |
| - Ref.Dynamic |
| - Ref.Extend |
| - Ref.OutputVars |
| - Rule.Copy |
| - SetComprehension.Copy |
| - SomeDecl.Copy |
| - Term.Copy |
| - Term.Vars |
| - Transform |
| - TransformComprehensions |
| - TransformRefs |
| - TransformVars |
| - TreeNode.DepthFirst |
| - TypeEnv.Get |
| - Unify |
| - ValueMap.Copy |
| - ValueMap.Equal |
| - ValueMap.Hash |
| - ValueMap.Iter |
| - ValueMap.MarshalJSON |
| - ValueMap.String |
| - ValueToInterface |
| - VarVisitor.Walk |
| - Walk |
| - WalkBeforeAndAfter |
| - WalkBodies |
| - WalkClosures |
| - WalkExprs |
| - WalkNodes |
| - WalkRefs |
| - WalkRules |
| - WalkTerms |
| - WalkVars |
| - WalkWiths |
| - With.Copy |
| - baseDocEqIndex.AllRules |
| - baseDocEqIndex.Build |
| - baseDocEqIndex.Lookup |
| - bodySafetyTransformer.Visit |
| - comprehensionIndexNestedCandidateVisitor.Walk |
| - comprehensionIndexRegressionCheckVisitor.Walk |
| - metadataParser.Parse |
| - object.Copy |
| - object.Diff |
| - object.Filter |
| - object.Foreach |
| - object.Intersect |
| - object.Iter |
| - object.Map |
| - object.Merge |
| - object.MergeWith |
| - object.Until |
| - queryCompiler.Compile |
| - refChecker.Visit |
| - refindices.Sorted |
| - refindices.Update |
| - rewriteNestedHeadVarLocalTransform.Visit |
| - ruleArgLocalRewriter.Visit |
| - ruleWalker.Do |
| - set.Copy |
| - set.Diff |
| - set.Foreach |
| - set.Intersect |
| - set.Iter |
| - set.Map |
| - set.Reduce |
| - set.Union |
| - set.Until |
| - trieNode.Do |
| - trieNode.Traverse |
| - trieTraversalResult.Add |
| - typeChecker.CheckBody |
| - typeChecker.CheckTypes |
| summary: Protection bypass in github.com/open-policy-agent/opa |
| description: |- |
| Open Policy Agent (OPA) is an open source, general-purpose policy engine. The |
| Rego compiler provides a (deprecated) WithUnsafeBuiltins function, which allows |
| users to provide a set of built-in functions that should be deemed unsafe and |
| rejected by the compiler if encountered in the policy compilation stage. |
| |
| A bypass of this protection is possible when using the "with" keyword to mock a |
| built-in function that isn't taken into account by WithUnsafeBuiltins. |
| published: 2022-09-13T17:40:16Z |
| cves: |
| - CVE-2022-36085 |
| ghsas: |
| - GHSA-f524-rf33-2jjr |
| credits: |
| - anderseknert@ |
| references: |
| - advisory: https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr |
| - fix: https://github.com/open-policy-agent/opa/pull/4540 |
| - fix: https://github.com/open-policy-agent/opa/pull/4616 |
| - fix: https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823 |
| - fix: https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8 |
| - web: https://github.com/open-policy-agent/opa/releases/tag/v0.43.1 |
| review_status: REVIEWED |