CVE-2022-36085

Name of the Vulnerable Software and Affected Versions Open Policy Agent (OPA) versions prior to 0.43.1

Description The Rego compiler in Open Policy Agent (OPA) has a deprecated WithUnsafeBuiltins function that allows users to specify built-in functions to be rejected by the compiler. However, a bypass of this protection has been found, where the use of the with keyword to mock a built-in function isn't taken into account by WithUnsafeBuiltins. This issue can be exploited if multiple conditions are met, including the use of the Go API for policy evaluation, the WithUnsafeBuiltins method, and the evaluation of policies from untrusted parties. The http.send and opa.runtime built-in functions are considered unsafe in certain integrations. The OPA Query API is also affected if it is exposed to the public without proper authentication and authorization.

Recommendations For versions prior to 0.43.1, consider using the capabilities feature instead of the WithUnsafeBuiltins function to specify allowed built-in functions. To do this, define the capabilities using the ast.CapabilitiesForThisVersion() function and then remove the unwanted built-in functions from the capabilities. Then, use the WithCapabilities method instead of WithUnsafeBuiltins when creating a new compiler. As a temporary workaround, avoid using the WithUnsafeBuiltins function until a patch is available. For example, change code that uses WithUnsafeBuiltins to use WithCapabilities as shown in the provided examples.