search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.5k stars 1.32k forks source link

object.subset method fails to correctly determine whether two arrays are in a parent-child relationship. #5968

Closed DCRUNNN closed 1 year ago

DCRUNNN commented 1 year ago

Short description

The object.subset method seems to have a bug when determining whether two arrays are in a parent-child relationship. Here is an example:

Steps To Reproduce

rego file:

array1 := [1,2,3,4,5]
array2 := [6,7,8]
object.subset(array1, array2)

expect:false got:true

you can run the example above on the playground

Additional context

This seems to be caused by line 201 in the file https://github.com/open-policy-agent/opa/blob/main/topdown/subset.go.

I have written a custom function locally to determine whether two arrays are in a parent-child relationship, and modifying it as superElem := super.Elem(superCursor + subCursor) can solve the issue.

This is the information regarding this problem. Please review it, and I will submit a PR later.

anderseknert commented 1 year ago

Thanks @DCRUNNN! That looks like a bug indeed. A PR including tests for this case sounds like a great next step! 😃

DCRUNNN commented 1 year ago

@anderseknert thanks for the reply! PTAL:https://github.com/open-policy-agent/opa/pull/5969

anderseknert commented 1 year ago

Nice! Thanks @DCRUNNN 👍

Fixed in https://github.com/open-policy-agent/opa/pull/5969