Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Safety check incorrect for := and with #1154

Closed
tim-styra opened this issue Jan 13, 2019 · 0 comments
Closed

Safety check incorrect for := and with #1154

tim-styra opened this issue Jan 13, 2019 · 0 comments
Labels
bug

Comments

@tim-styra
Copy link
Contributor

Expected Behavior

Both of the following rules should be safe. They only differ in that one assigns x := and the other assigns x =

package foo
bar {
    q := 1
    x = data.qux with input as q
}

package foo
bar {
    q := 1
    x := data.qux with input as q
}

Actual Behavior

First rule is safe. Second rule is unsafe:

error: compile error: 1 error occurred: t.rego:2: rego_unsafe_var_error: var q is unsafe

Steps to Reproduce the Problem

opa run with either one of the above modules.

Additional Info
@tsandall tsandall added the bug label Jan 14, 2019
tsandall added a commit to tsandall/opa that referenced this issue Jan 14, 2019
@tsandall
ast: Fix rewriting of assignment values
f43c2cf 
The rewriting was not recursing into with keyword values in assignment
statements. This would typically lead to false-positive safety
errors. Also, fix assignment check to propagate errors in nested
bodies.

Fixes open-policy-agent#1154

Signed-off-by: Torin Sandall <torinsandall@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tsandall @tim-styra