CVE-2022-36085: 
vulnerability analysis and mitigation

CVE-2022-36085 is a security vulnerability discovered in Open Policy Agent (OPA) affecting versions >= v0.40.0 and < v0.44.0. The vulnerability allows bypassing the WithUnsafeBuiltins protection mechanism using the 'with' keyword to mock built-in functions. This feature was introduced in OPA v0.40.0 and could potentially allow untrusted policies to execute unsafe built-in functions that were intended to be blocked (OPA Advisory).

The vulnerability exists in the Rego compiler's WithUnsafeBuiltins function, which is meant to allow users to specify built-in functions that should be rejected during policy compilation. The bypass occurs when using the 'with' keyword to mock built-in functions, as this operation isn't properly checked against the unsafe builtins list. For example, a policy could bypass restrictions on http.send by mocking another function to call it: 'foo := isobject({"method": "get", "url": "https://example.com"}) allow := r { r := foo with isobject as http.send }' (OPA Advisory).

The vulnerability can lead to execution of unsafe built-in functions that were intended to be blocked, potentially exposing sensitive information through functions like opa.runtime or allowing unauthorized network requests through http.send. This is particularly concerning in environments where policy evaluation of untrusted policies is allowed (OPA Advisory).

The vulnerability has been patched in versions v0.43.1 and v0.44.0. For users unable to upgrade, the recommended workaround is to use the capabilities feature instead of the deprecated WithUnsafeBuiltins function. This involves modifying the code to use ast.CapabilitiesForThisVersion() and properly configuring the capabilities to exclude unsafe built-ins (OPA Advisory).