chore: bump the go_modules group across 1 directory with 3 updates
Type: Pull Request
State: Open
![dependabot[bot]](https://github.com/dependabot.png)
Association: None
Comments: 0
(4 months ago)
(4 months ago)
dependencies go
Bumps the go_modules group with 3 updates in the / directory: github.com/justinas/nosurf, github.com/open-policy-agent/opa and github.com/cloudflare/circl.
Updates github.com/justinas/nosurf
from 1.1.1 to 1.2.0
Release notes
Sourced from github.com/justinas/nosurf's releases.
v1.2.0
This is a security release for nosurf. It mainly addresses CVE-2025-46721.
This release technically includes breaking changes, as nosurf starts applying same-origin checks that were not previously enforced. In most cases, users will not need to make any changes to their code. However, it is recommended to read the documentation on nosurf's trusted origin checks before upgrading.
Commits
ec9bb77
Rework origin checks (#74)e5c9c1f
Add GitHub Actions CI, fix lints and tests- See full diff in compare view
Updates github.com/open-policy-agent/opa
from 1.3.0 to 1.4.0
Release notes
Sourced from github.com/open-policy-agent/opa's releases.
v1.4.0
This release contains a security fix addressing CVE-2025-46569. It also includes a mix of new features, bugfixes, and dependency updates.
Security Fix: CVE-2025-46569 - OPA server Data API HTTP path injection of Rego (GHSA-6m8w-jc87-6cr7)
A vulnerability in the OPA server's Data API allows an attacker to craft the HTTP path in a way that injects Rego code into the query that is evaluated.
The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack.Users are only impacted if all of the following apply:
- OPA is deployed as a standalone server (rather than being used as a Go library)
- The OPA server is exposed outside of the local host in an untrusted environment.
- The configured authorization policy does not do exact matching of the input.path attribute when deciding if the request should be allowed.
or, if all of the following apply:
- OPA is deployed as a standalone server.
- The service connecting to OPA allows 3rd parties to insert unsanitised text into the path of the HTTP request to OPA’s Data API.
Note: With no Authorization Policy configured for restricting API access (the default configuration), the RESTful Data API provides access for managing Rego policies; and the RESTful Query API facilitates advanced queries. Full access to these APIs provides both simpler, and broader access than what the security issue describes here can facilitate. As such, OPA servers exposed to a network are not considered affected by the attack described here if they are knowingly not restricting access through an Authorization Policy.
This issue affects all versions of OPA prior to 1.4.0.
See the Security Advisory for more details.
Reported by
@GamrayW
,@HyouKash
,@AdrienIT
, authored by@johanfylling
Runtime, Tooling, SDK
- ast: Adding
rego_v1
feature to--v0-compatible
capabilities (#7474) authored by@johanfylling
- executable: Add version and icon to OPA windows executable (#3171) authored by
@sspaink
reported by@christophwille
- format: Don't panic on format due to unexpected comments (#6330) authored by
@sspaink
reported by@sirpi
- format: Avoid modifying strings when formatting (#6220) authored by
@sspaink
reported by@zregvart
- plugins/status: FIFO buffer channel for status events to prevent slow status API blocking (#7522) authored by
@sspaink
Topdown and Rego
- gqlparser: Add JSON annotation in
internal/gqlparser/ast
to Position fields (#7509) authored by@robmyersrobmyers
- graphql: Cache GraphQL schema parse results (#7457) authored by
@robmyersrobmyers
- topdown: Handling default functions in Partial Eval (#7220) authored by
@johanfylling
- topdown: Fix wall clock time init for
PartialRun()
(#7490) authored by@srenatus
- topdown: Zero alloc lower/upper unless changed (#7472) authored by
@anderseknert
Docs, Website, Ecosystem
- adopters: Cloudsmith adds support for OPA (#7498) authored by
@ndouglas-cloudsmith
... (truncated)
Changelog
Sourced from github.com/open-policy-agent/opa's changelog.
1.4.0
This release contains a security fix addressing CVE-2025-46569. It also includes a mix of new features, bugfixes, and dependency updates.
Security Fix: CVE-2025-46569 - OPA server Data API HTTP path injection of Rego (GHSA-6m8w-jc87-6cr7)
A vulnerability in the OPA server's Data API allows an attacker to craft the HTTP path in a way that injects Rego code into the query that is evaluated.
The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack.Users are only impacted if all of the following apply:
- OPA is deployed as a standalone server (rather than being used as a Go library)
- The OPA server is exposed outside of the local host in an untrusted environment.
- The configured authorization policy does not do exact matching of the input.path attribute when deciding if the request should be allowed.
or, if all of the following apply:
- OPA is deployed as a standalone server.
- The service connecting to OPA allows 3rd parties to insert unsanitised text into the path of the HTTP request to OPA’s Data API.
Note: With no Authorization Policy configured for restricting API access (the default configuration), the RESTful Data API provides access for managing Rego policies; and the RESTful Query API facilitates advanced queries. Full access to these APIs provides both simpler, and broader access than what the security issue describes here can facilitate. As such, OPA servers exposed to a network are not considered affected by the attack described here if they are knowingly not restricting access through an Authorization Policy.
This issue affects all versions of OPA prior to 1.4.0.
See the Security Advisory for more details.
Reported by
@GamrayW
,@HyouKash
,@AdrienIT
, authored by@johanfylling
Runtime, Tooling, SDK
- ast: Adding
rego_v1
feature to--v0-compatible
capabilities (#7474) authored by@johanfylling
- executable: Add version and icon to OPA windows executable (#3171) authored by
@sspaink
reported by@christophwille
- format: Don't panic on format due to unexpected comments (#6330) authored by
@sspaink
reported by@sirpi
- format: Avoid modifying strings when formatting (#6220) authored by
@sspaink
reported by@zregvart
- plugins/status: FIFO buffer channel for status events to prevent slow status API blocking (#7522) authored by
@sspaink
Topdown and Rego
- gqlparser: Add JSON annotation in
internal/gqlparser/ast
to Position fields (#7509) authored by@robmyersrobmyers
- graphql: Cache GraphQL schema parse results (#7457) authored by
@robmyersrobmyers
- topdown: Handling default functions in Partial Eval (#7220) authored by
@johanfylling
- topdown: Fix wall clock time init for
PartialRun()
(#7490) authored by@srenatus
- topdown: Zero alloc lower/upper unless changed (#7472) authored by
@anderseknert
Docs, Website, Ecosystem
... (truncated)
Commits
8b07202
Prepare v1.4.0 release (#7541)ad20632
Merge commit from fork24ff9cf
fix: return the raw strings when formatting (#7525)254f3bf
fix(status plugin): make sure the latest status is read before manually trigg...9b5f601
docs: fix post merge badge (#7532)e490277
docs: Point path versioned requests to new sites (#7531)d65888c
plugins/status: FIFO buffer channel for status events to prevent slow status ...eb77d10
docs: update edge links to use /docs/edge/ path (#7529)f07d604
docs: Set versioned docs links to point to archive (#7528)828b8cb
docs: improve request headers documentation in REST APIs (#7524)- Additional commits viewable in compare view
Updates github.com/cloudflare/circl
from 1.6.0 to 1.6.1
Release notes
Sourced from github.com/cloudflare/circl's releases.
CIRCL v1.6.1
- Fixes some point checks on the FourQ curve.
- Hybrid KEM fails on low-order points.
What's Changed
- kem/hybrid: ensure X25519 hybrids fails with low order points by
@Lekensteyn
in cloudflare/circl#541- .github: Use native ARM64 builders instead of QEMU by
@Lekensteyn
in cloudflare/circl#542- Fixes several errors on twisted Edwards curves. by
@armfazh
in cloudflare/circl#545- Release v1.6.1 by
@armfazh
in cloudflare/circl#546Full Changelog: https://github.com/cloudflare/circl/compare/v1.6.0...v1.6.1
Commits
c6d33e3
Release v1.6.10c3868e
curve4q: Shared must fail with low order points.9fd570d
curve4q: Test showing DH does not fails on identity point.c988ceb
fourq: Correctly unmarshalling point.ef2611d
fourq: Test showing point unmarshal fails.05eba44
fourq: Handle the case of Z=0 for IsOnCurve and IsEqual.eef0878
fourq: Test showing isEqual and IsOnCurve fail.2298474
goldilocks; Handling points with z=0.5a940a1
goldilocks: Test for IsEqual must fail with Z=048c3b6a
ed25519: Fix isEqual to handle points with Z=0.- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditions
will show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major version
will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor version
will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>
will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>
will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>
will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.
Pull Request Statistics
1
2
+16
-15
Package Dependencies
github.com/open-policy-agent/opa
go
1.3.0 → 1.4.0
Minor
Security Advisories
OPA server Data API HTTP path injection of Rego
nosurf vulnerable to CSRF due to non-functional same-origin request checks
Technical Details
ID: | 1457094 |
UUID: | 2582536117 |
Node ID: | PR_kwDOOfCywM6Z7l-1 |
Host: | GitHub |
Repository: | FlixiDoe/coder |
Merge State: | Unknown |