search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.67k stars 1.34k forks source link

Relax safety check for comprehensions #3904

Open tsandall opened 3 years ago

tsandall commented 3 years ago

The safety check doesn't reorder expressions around comprehensions before checking nested bodies. As a result, the safety check can generate false positives. Consider:

x = y.a
y = input.y
{1 | x}

In this contrived example, x will not be considered safe when the comprehension is checked. As a result, the body of the comprehension on L3 will be considered unsafe. The reason x is not considered safe is that the safety reordering will not have been applied to the first two expressions yet.

We should improve the safety check so that comprehensions do not have to be checked up-front and instead can be checked in the process of normal reordering.

stale[bot] commented 2 years ago

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.