Srenatus

**Name of the Vulnerable Software and Affected Versions** Open Policy Agent (OPA) versions prior to 0.43.1 **Description** The Rego compiler in Open Policy Agent (OPA) has a deprecated `WithUnsafeBuiltins` function that allows users to specify built-in functions to be rejected by the compiler. However, a bypass of this protection has been found, where the use of the `with` keyword to mock a built-in function isn't taken into account by `WithUnsafeBuiltins`. This issue can be exploited if multiple conditions are met, including the use of the Go API for policy evaluation, the `WithUnsafeBuiltins` method, and the evaluation of policies from untrusted parties. The `http.send` and `opa.runtime` built-in functions are considered unsafe in certain integrations. The OPA Query API is also affected if it is exposed to the public without proper authentication and authorization. **Recommendations** For versions prior to 0.43.1, consider using the `capabilities` feature instead of the `WithUnsafeBuiltins` function to specify allowed built-in functions. To do this, define the capabilities using the `ast.CapabilitiesForThisVersion()` function and then remove the unwanted built-in functions from the capabilities. Then, use the `WithCapabilities` method instead of `WithUnsafeBuiltins` when creating a new compiler. As a temporary workaround, avoid using the `WithUnsafeBuiltins` function until a patch is available. For example, change code that uses `WithUnsafeBuiltins` to use `WithCapabilities` as shown in the provided examples.