Open Policy Agent Envoy Plugin Authorization Bypass Vulnerability

A vulnerability exists in the Open Policy Agent (OPA) Envoy Plugin, specifically in versions prior to 1.13.2-envoy-2. The issue arises in how the 'input.parsed_path' field processes HTTP request paths. Leading path segments with double slashes are misinterpreted as authority components, causing them to be dropped from the parsed path. This discrepancy can create mismatches between authorization policies and backend server responses, allowing attackers to bypass access controls by manipulating request paths. The vulnerability is particularly concerning for path-hierarchical resources and policies that rely on 'input.parsed_path' for authorization decisions.

Impact

Exploitation of this vulnerability can lead to unauthorized access by bypassing established path-based access controls, allowing attackers to access protected resources they should not be able to.

Reproduction

To reproduce this vulnerability, send an HTTP request with a path that includes double slashes at the beginning, such as '//admin/users'. The authorization policy will incorrectly parse the path, dropping the 'admin' segment and potentially allowing access to restricted resources.

Remediation

Users can upgrade to OPA Envoy Plugin version 1.13.2-envoy-2 or apply the 'merge_slashes' configuration option in Envoy to remove redundant slashes before the request is processed. Alternatively, update authorization policies to use the 'input.attributes.request.http.path' field, which contains the raw, unprocessed request path.