Update dependency open-policy-agent/opa to v1.12.2

[renovate]

This PR contains the following updates:

Package	Update	Change
open-policy-agent/opa	minor	v1.11.0 → v1.12.2

---

Release Notes

open-policy-agent/opa (open-policy-agent/opa)

v1.12.2

Compare Source

This bug fix release address issues found in the new string interpolation feature

• Add (*TemplateString).Copy() method (#​8159) authored by @​anderseknert
• Fix template string not serialized with escaped { (#​8161)
  authored by @​anderseknert
• fix(ast): skip template string vars in ref safety (#​8174)
  authored by @​thevilledev
• fix(ast): use original var names in template error (#​8180)
  authored by @​thevilledev

v1.12.1

Compare Source

This bug fix release reverts a change to regex.replace that unintentionally changed its behaviour for anchored regular expressions.

• Revert "topdown: make regex.replace respect cancellation" (authored by @​srenatus)

v1.12.0

Compare Source

This release contains a mix of new features, performance improvements, and bugfixes. Notably:

• Support for String Interpolation in the Rego language
• Faster compilation and runtime
• Fixes published in the v1.11.1 release

String Interpolation (#​4733)

The Rego language has been extended to support String Interpolation,
which provides a readable means to compose strings containing dynamic values determined at evaluation time.

An interpolated string is composed of a template-string containing zero or more template-expressions that evaluates to a value at evaluation time.
The $ character prefix identifies a template-string, and template-expressions are declared by being enclosed in curly-braces ({, }).

Additionally, undefined template-expression values don't halt evaluation; instead, <undefined> will be injected into the generated string.

package interpolation

allowed_roles := ["admin", "employee"]

default role := "guest"
role := input.role

deny contains $"User {input.username}'s role was '{role}', but must be one of {allowed_roles}" if {
  not role in allowed_roles
}

{
  "deny": [
    "User <undefined>'s role was 'guest', but must be one of [\"admin\", \"employee\"]"
  ],
}

String interpolation is a more readable and less error-prone substitute for the sprintf built-in function.

Authored by @​johanfylling reported by @​anderseknert

[!TIP]
Help us out!

New Rego language features are exciting, and we want to maximize their usefulness. If you come across tools and integrations in the community where string interpolation isn't properly handled, such as syntax highlighting, please reach out and let us know.

Runtime, SDK, Tooling

• oracle: Refactor Oracle better support some and every (#​8105, #​8131, #​8138) authored by @​charlieegan3
• plugins/bundle: Prevent ns-level polling by validating intervals (#​8082) authored by @​jjhwan-h
• plugins/discovery: Initialize plugins before downloading (#​8071) authored by @​jt28828
• topdown: Introduce sink for context cancellation
  • topdown: Make regex.replace respect cancellation (#​8089) authored by @​srenatus
  • topdown: Make replace and strings.replace_n respect cancellation (#​8089) authored by @​srenatus
  • topdown: Use sink for concat (#​8090) authored by @​srenatus
  • perf: Avoid extra allocation in sink if no cancel (#​8104) authored by @​anderseknert

Compiler, Topdown and Rego

• ast/compile: Deal with error limit without panic/defer (#​8087) authored by @​srenatus
• ast/parser: Check if we need to unescape at all (#​8135) authored by @​srenatus
• perf: Improved visitor implementation (10% faster compilation) (#​8078) authored by @​anderseknert
• perf: Reduce allocations handling terms (#​8116) authored by @​anderseknert
• perf: Type-checker performance improvements (#​8143) authored by @​anderseknert

Docs, Website, Ecosystem

• website: Add support for rego string interpolation syntax highlighting (#​8092) authored by @​charlieegan3
• docs/ocp: Update "concepts" for v0.3.0 (#​8117) authored by @​srenatus
• website: Show playground errors (#​8141) authored by @​charlieegan3
• website: Update a number of links to their new location (#​8100) authored by @​charlieegan3
• docs: Remove link to feedback form (#​8101) authored by @​charlieegan3
• website: Remove survey bar (#​8136) authored by @​charlieegan3
• docs: Update community contacts (#​8108) authored by @​charlieegan3

Miscellaneous

• ast/checks_test: Fix flaky tests (#​8111) authored by @​srenatus
• benchmarks: Install node v24 (#​8122) authored by @​srenatus
• download: Fix when compiling with tag opa_no_oci (#​8070) authored by @​srenatus reported by @​mg0083
• tests: Race in TestStatusUpdateBuffer (#​8133) authored by @​thevilledev
• workflow: Integrate benchmarks notebook (#​8121) authored by @​srenatus
• workflows: Skip all tests in benchmarks run (#​8086) authored by @​srenatus
• Dependency updates; notably:
  • build: Bump golang from 1.25.4 to 1.25.5 (#​8107) authored by @​srenatus
  • build(deps): Bump google.golang.org/grpc from 1.76.0 to 1.77.0

v1.11.1

Compare Source

This is a bugfix release:

Memory exhaustion via forged gzip header

A crafted HTTP request any of OPA's HTTP endpoints would lead OPA to use a large amount of memory, triggering
an out-of-memory process exit.

This weakness in OPA's HTTP API gzip handling is as old as the gzip handling itself. A configurable limit was introduced in v0.67.0, but it has been shown that this security measure wasn't sufficient to avoid running out of memory in memory-constrained setups.

Thanks to @​thevilledev for reporting and fixing this issue.

It only applies to OPA running as server (as a binary or in a container, as "sidecar"). To trigger an OOM process exit using this weakness, an adversary must be able to send an HTTP request directly to OPA. This would be the case if they are in the same network, there is no proxy in front of OPA, or if OPA was exposed to the internet, which is advised against.

By the nature of HTTP encodings, this would be effective before token-based authentication and authorization policies, so these measures do not protect against the attack vector.

If all OPA endpoints are using TLS-based authentication (mutual TLS, "mTLS"), then an adversary cannot do harm with this method.

Please note that while we're taking all of these issues seriously, OPA isn't designed for adversary environments. It's strongly advised not to expose any of its endpoints to the public internet. Furthermore, available security measures should be applied regardless, for a defense in depth approach. See the documentation for the available means of authentication and authorization in OPA.

Please also check out our Security Policy for reporting critical issues and bugs.

Decision Logs dropped (introduced in OPA v1.9.0)

When the decision logs buffer was uploaded, the buffer limit inadvertently got reset to the default upload limit (32kb).
This causes logs to be dropped that shouldn't have been dropped.

This default is overridden by the configuration value decision_logs.reporting.upload_size_limit_bytes, see the docs on decision logs.

There's a Prometheus metric for dropped events, counter_decision_logs_dropped_buffer_size_limit_bytes_exceeded,
and you can check that for unexpectedly high counts.

Reported by @​johanneslarsson #​8123, fixed by @​sspaink.

The release is otherwise identical to v1.11.0.

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.