Headline
CVE-2022-36085: compiler: allow for mocking built-in functions via "with" by srenatus · Pull Request #4540 · open-policy-agent/opa
Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) WithUnsafeBuiltins
function, which allows users to provide a set of built-in functions that should be deemed unsafe — and as such rejected — by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the with
keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn’t taken into account by WithUnsafeBuiltins
. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the WithUnsafeBuiltins
function and use the capabilities
feature instead.
Signed-off-by: Damien Burks [email protected]
updating changes to allow for multiple format strings
Signed-off-by: Damien Burks [email protected]
fixing golint issues
Signed-off-by: Damien Burks [email protected]
fixing golint issues
Signed-off-by: Damien Burks [email protected]
making recommended change: package level variable
Signed-off-by: Damien Burks [email protected]
adding support for explicit argument indexes
Signed-off-by: Damien Burks [email protected]
format: don’t add ‘in’ keyword import when ‘every’ is there (open-policy-agent#4607)
Also ensure that added imports have a location set.
Previously, `opa fmt` on the added test file would have panicked because the import hadn’t had a location.
Fixes open-policy-agent#4606.
Signed-off-by: Stephan Renatus [email protected]
ast+topdown+planner: allow for mocking built-in functions via “with” (open-policy-agent#4540)
With this change, we can replace calls to built-in functions via `with`. The replacement can either be a value – which will be used as the return value for every call to the mocked built-in – or a reference to a non-built-in function – when the results need to depend on the call’s arguments.
Compiler, topdown, and planner have been adapted in this change. The included docs changes describe the replacement options further.
Fixes first part of open-policy-agent#4449. (Missing are non-built-in functions as mock targets.)
Signed-off-by: Stephan Renatus [email protected]
build(deps): bump google.golang.org/grpc from 1.45.0 to 1.46.0 (open-policy-agent#4617)
docs/policy-testing: use assignment operator in mocks (open-policy-agent#4618)
Additionally, simplify one test example.
Signed-off-by: Anders Eknert [email protected]
cmd/capabilities: expose capabilities through CLI (open-policy-agent#4588)
There is a new command argument "capabilities". With this, it is possible to print the current capabilities version, show all capabilities versions & print any capabilities version, without the need of a file. Moreover, for the other commands which use the --capabilities flag, it is possible to give only the version number, without specifying a file. However, there are no breaking changes for those who use the capabilities file as an input for the flag. Unit tests were also written, in order to test the new argument and the changes made in ast.
Fixes: open-policy-agent#4236
Signed-off-by: IoannisMatzaris [email protected]
format,eval: don’t use source locations when formatting PE output (open-policy-agent#4611)
* format: allow ignoreing source locations * cmd/eval: format disregarding source locations for partial result
Before, we’d see this output: ``` $ opa eval -p -fsource 'time.clock(input.x)==time.clock(input.y)' time.clock(time.clock(input.x), input.y) ```
Now, we get the proper answer: `time.clock(input.y, time.clock(input.x))`.
Note that it’s a _display_ issue; the JSON output of PE has not been affected.
Fixes open-policy-agent#4609.
Signed-off-by: Stephan Renatus [email protected]
build(deps): bump github/codeql-action from 1 to 2 (open-policy-agent#4621)
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1 to 2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v1…v2)
updated-dependencies:
- dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major …
Signed-off-by: dependabot[bot] [email protected]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
status: Remove activeRevision label on all but one metric (open-policy-agent#4600)
Having one activeRevision label on each of the prometheus metrics emitted by the status plugin has proven to be problematic with a large number of bundles. So with this change,
- we keep the activeRevision label (just on) the last_success_bundle_activation metric.
- the gauge gets reset, so we only keep the last active_revision (instead of keeping them all and therefore avoiding the situation where the /metrics output grows indefinitely)
Fixes open-policy-agent#4584.
Signed-off-by: cmuraru [email protected]
website: add playground button to navbar (open-policy-agent#4622)
Addressing one tiny bit of open-policy-agent#4614.
Signed-off-by: Stephan Renatus [email protected]
topdown/net: require prefix length for IPv6 in net.cidr_merge (open-policy-agent#4613)
There are no default prefixes in IPv6, so if an IPv6 without a prefix is fed into net.cidr_merge, we’ll return a non-halt error now.
Before, we’d fail in various ways if a prefix-less IPv6 was fed into `net.cidr_merge`. With only one, we’d return `[ “<nil>” ]`, with two, we’d panic.
Fixes open-policy-agent#4596.
Signed-off-by: Stephan Renatus [email protected]
Dockerfile: add source annotation (open-policy-agent#4626)
`org.opencontainers.image.source` URL to get source code for building the image (string)
https://github.com/opencontainers/image-spec/blob/main/annotations.md
Signed-off-by: Stephan Renatus [email protected]
build(deps): bump github.com/fsnotify/fsnotify v1.5.2 -> v1.5.4 (open-policy-agent#4628)
https://github.com/fsnotify/fsnotify/releases/tag/v1.5.4
Signed-off-by: Stephan Renatus [email protected]
docs: update version in kubernetes examples (open-policy-agent#4627)
Signed-off-by: yongen.pan [email protected]
bundle/status: Include bundle type in status information
OPA has support for Delta Bundles. The status object already contains valuable information such as last activation timestamp but does not specify if the bundle was a canonical snapshot or delta.
This change updates the bundle.Status object to include the bundle type string: either “snapshot” or "delta". This can be useful for status endpoints to differentiate between the bundle types.
Issue: 4477
Signed-off-by: Bryan Fulton [email protected]
ast+topdown+planner: replacement of non-built-in functions via ‘with’ (open-policy-agent#4616)
Follow-up to open-policy-agent#4540
We can now mock functions that are user-defined:
package test
f(\_) = 1 {
input.x = "x"
}
p = y {
y := f(1) with f as 2
}
…following the same scoping rules as laid out for built-in mocks. The replacement can be a value (replacing all calls), or a built-in, or another non-built-in function.
Also addresses bugs in the previous slice: * topdown/evalCall: account for empty rules result from indexer * topdown/eval: capture value replacement in PE could panic
Note: in PE, we now drop ‘with’ for function mocks of any kind:
These are always fully replaced in the saved support modules, so this should be OK.
When keeping them, we’d also have to either copy the existing definitions into the support module; or create a function stub in it.
Fixes open-policy-agent#4449.
Signed-off-by: Stephan Renatus [email protected]
format: keep whitespaces for multiple indented same-line withs (open-policy-agent#4635)
Fixes open-policy-agent#4634.
Signed-off-by: Stephan Renatus [email protected]
downloader: support for downloading bundles from an OCI registry (open-policy-agent#4558)
Initial support for open-policy-agent#4518.
Configuration uses the ‘services’ config for registries, via the “type: oci” field. Bundles configured to pull from that service will then use OCI.
``` services: ghcr-registry: url: https://ghcr.io type: oci bundles: authz: service: ghcr-registry resource: ghcr.io/${ORGANIZATION}/${REPOSITORY}:${TAG} persist: true polling: min_delay_seconds: 60 max_delay_seconds: 120 persistence_directory: ${PERSISTENCE_PATH} ```
Service credentials are supported: if you want to pull from a private registry, use ``` services: ghcr-registry: url: https://ghcr.io type: oci credentials: bearer: token: ${GH_PAT} ```
If no `persistence_directory` is configured, the data is stored in a directory under /tmp.
See docs/devel/OCI.md for manual steps to test this feature with some OCI registry (like ghcr.io).
Signed-off-by: carabasdaniel [email protected]
Prepare v0.40.0 Release (open-policy-agent#4631)
Signed-off-by: Stephan Renatus [email protected]
Prepare v0.41.0 development (open-policy-agent#4636)
Signed-off-by: Stephan Renatus [email protected]
docs: Adding example for `rego.metadata.role()` usage (open-policy-agent#4640)
Signed-off-by: Johan Fylling [email protected]
build(deps): bump oras.land/oras-go from 1.1.0 to 1.1.1 (open-policy-agent#4643)
Bumps [oras.land/oras-go](https://github.com/oras-project/oras-go) from 1.1.0 to 1.1.1.
- [Release notes](https://github.com/oras-project/oras-go/releases)
- [Commits](oras-project/[email protected]…v1.1.1)
updated-dependencies:
- dependency-name: oras.land/oras-go dependency-type: direct:production update-type: version-update:semver-patch …
Signed-off-by: dependabot[bot] [email protected]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
build(deps): bump OpenTelemetry 1.6.3 -> 1.7.0 (open-policy-agent#4649)
https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.7.0 https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.7.0
Signed-off-by: Stephan Renatus [email protected]
build(deps): bump github.com/containerd/containerd from 1.6.2 to 1.6.3 (open-policy-agent#4654)
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.6.2 to 1.6.3.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/[email protected]…v1.6.3)
updated-dependencies:
- dependency-name: github.com/containerd/containerd dependency-type: direct:production update-type: version-update:semver-patch …
Signed-off-by: dependabot[bot] [email protected]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Update k8s examples to the latest schema (open-policy-agent#4655)
Signed-off-by: Víctor Martínez Bevià [email protected]
Fix incorrect padding claims (open-policy-agent#4657)
Signed-off-by: Anders Eknert [email protected]
build(deps): bump github.com/containerd/containerd from 1.6.3 to 1.6.4 (open-policy-agent#4662)
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.6.3 to 1.6.4.
- [Release notes](https://github.com/containerd/containerd/releases)
- [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- [Commits](containerd/[email protected]…v1.6.4)
updated-dependencies:
- dependency-name: github.com/containerd/containerd dependency-type: direct:production update-type: version-update:semver-patch …
Signed-off-by: dependabot[bot] [email protected]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
build(deps): bump docker/setup-qemu-action from 1 to 2 (open-policy-agent#4668)
build(deps): bump docker/setup-buildx-action from 1 to 2 (open-policy-agent#4669)
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1 to 2.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@v1…v2)
updated-dependencies:
- dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-major …
Signed-off-by: dependabot[bot] [email protected]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
build(deps): github.com/bytecodealliance/wasmtime-go 0.35.0 -> 0.36.0 (open-policy-agent#4652)
* build(deps): bump wasmtime-go: 0.35.0 -> 0.36.0 * internal/wasm: adapt to using epoch-based interruption
Looks like we don’t get frames for this.
Also, there is currentlty no better way than comparing the message, as the trap code isn’t surfaced (yet).
Fixes open-policy-agent#4663.
Signed-off-by: Stephan Renatus [email protected]
ecosystem: Add Sansshell (open-policy-agent#4674)
Signed-off-by: James Chacon [email protected]
topdown: Add units.parse builtin (open-policy-agent#4676)
This function works on all base decimal and binary SI units of the set:
m, K/Ki, M/Mi, G/Gi, T/Ti, P/Pi, and E/Ei
Note: Unlike `units.parse_bytes`, this function is case sensitive.
Fixes open-policy-agent#1802.
Signed-off-by: Philip Conrad [email protected]
docs/contrib-code: Add capabilities step to built-in functions tutorial (open-policy-agent#4677)
Signed-off-by: Philip Conrad [email protected]
Add nginx integration (open-policy-agent#4682)
Signed-off-by: Anders Eknert [email protected]
util/Unmarshal: if it’s JSON, skip YAMLtoJSON (open-policy-agent#4681)
This helper accepts JSON or YAML, and used to do this:
- For YAML input, yaml.YAMLToJSON would parse it as yaml, marshal it to JSON, and pass that back out to be passed to UnmarshalJSON
- For JSON input, yaml.YAMLToJSON would also parse it as yaml, marshal it to JSON, and pass that back out to UnmarshalJSON
Issue open-policy-agent#4673 has shown that the theoretical “superset” propery of YAML doesn’t seem to hold in all cases.
So now, we’ll do this:
- For YAML input, yaml.YAMLToJSON would parse it as yaml, marshal it to JSON, and pass that back out to be passed to UnmarshalJSON
- For JSON input, json.Valid will determine that it’s JSON, and we’ll feed it into UnmarshalJSON as-is.
The YAML path (1.) still seems suboptimal, but I also suspect that JSON is more common. Also, this change shouldn’t make the YAML path much worse: determining that yaml string isn’t valid JSON should be quick.
Signed-off-by: Stephan Renatus [email protected]
OCI: skip reloading bundle if tarball SHA did not change (open-policy-agent#4658)
Fixes open-policy-agent#4637.
Signed-off-by: carabasdaniel [email protected]
docs/content: Correct --tls-ca-cert-path in security doc (open-policy-agent#4686)
Change --tls-ca-cert-path to --tls-ca-cert-file since --tls-ca-cert-path is not a valid option (and a typo)
Fixes: open-policy-agent#4678
Signed-off-by: Krishna Pramod A [email protected]
refactoring: adding helper method for sprintf
Related news
### Impact The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe — and as such rejected — by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn’t taken into account by `WithUnsafeBuiltins`. The same method is exposed via `rego.UnsafeBuiltins` in the `github.com/open-policy-agent/opa/rego` package. When provided e.g. the `http.send` built-in function to `WithUnsafeBuiltins`, the following policy would still compile, and call the `http.send` function with the arguments provided to the `is_object` function when evaluated: ```rego package policy foo := is_object({ "method": "get", "url": "https://www.openpolicyagent.org" }) allow := r { r := foo with is_object as http.send } ``` Both built-in functions ...