Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using non-collections with every should fail #6762

Closed
anderseknert opened this issue May 27, 2024 · 0 comments · Fixed by #6763
Closed

Using non-collections with every should fail #6762

anderseknert opened this issue May 27, 2024 · 0 comments · Fixed by #6763
Labels
bug

Comments

@anderseknert
Copy link
Member

Given an input object like this:

{
    "items": {
        "a": "b"
    }
}

I made a mistake in how I interpreted the input, and used every like this:

allow if {
    some key in ["a", "b", "c"]
    every item in input.items[key] {
        item == "foo"
    }
}

This is non-sensical, as input.items["a"] will return the string "b" and not a collection, but surprisingly this passed.

Not just a runtime issue either, as the this also passes:

every item in 1 {
    item == "foo"
}

I'd expect the every keyword to fail evaluation on anything but a valid collection, both at compile time and runtime.
johanfylling added a commit to johanfylling/opa that referenced this issue May 27, 2024
@johanfylling
Asserting every domain is an iterable type before evaluation
6c72931 
Fixes: open-policy-agent#6762
Signed-off-by: Johan Fylling <johan.dev@fylling.se>
@johanfylling johanfylling mentioned this issue May 27, 2024
Merged
johanfylling added a commit that referenced this issue May 28, 2024
@johanfylling
Asserting every domain is an collection type before evaluation (#6763)
62834a2 
Fixing an issue where a non-collection `every`-domain didn’t fail evaluation.
Removing a possible attack surface, where an attacker with the ability to craft portions of the input document could replace a value with an expected collection type, that is known to be processed by an `every`-statement, with a non-collection value and thereby would cause the policy to accept a query that should otherwise be rejected.

Fixes: #6762
Signed-off-by: Johan Fylling <johan.dev@fylling.se>
@BrewTestBot BrewTestBot mentioned this issue May 30, 2024
Merged
@matajoh matajoh mentioned this issue Jun 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Asserting every domain is an iterable type before evaluation johanfylling/opa
1 participant
@anderseknert