opa icon indicating copy to clipboard operation
opa copied to clipboard
verified publisher icon open-policy-agent

Unsafe var in object reports location of object, not the var

Open anderseknert opened this issue 3 months ago • 3 comments 

package play

obj := {
    "foo": "bar",
    "baz": qux,
}

In the example above, qux is unsafe and is correctly reported as such:

1 error occurred: policy.rego:3: rego_unsafe_var_error: var qux is unsafe

But qux is not located on line 3 but 5. This doesn't matter much for a trivial case like this, but can be quite annoying when defining large objects in e.g. tests, and having an accidentally unsafe var result in an error without a correct location.

anderseknert avatar Sep 23 '25 21:09 anderseknert

Hi @anderseknert , I’m trying to understand this issue but I’m having trouble locating it in my setup. Could you guide me on how to approach or reproduce this problem? Thanks!

abhiii71 avatar Sep 29 '25 17:09 abhiii71

Reproducing should be easy. Just put the example code from the description in a policy file (say p.rego) and then run:

opa eval -f pretty -d p.rego data.play.obj

And you should see:

1 error occurred: p.rego:3: rego_unsafe_var_error: var qux is unsafe

Running that command with a debugger attached should help identify the whereabouts of the issue... but without having done that — it's the compiler doing this check, so that's where I'd start. The compiler does rewrites of all policies, and the Compiler Explorer (as available via e.g. VS Code and right-clicking inside a policy followed by "Source Actions...") is a good way to visualize that, as the screenshot below shows.

Image

The compiler however keeps a mapping of locations in the original policy and the rewritten one... and if I were to guess, something in that process is not going as expected here.

Your help is much appreciated! Just be aware that the compiler and its code can be rather complex, and non-obvious. So don't feel bad if you get lost/stuck. Just let us know and perhaps we can take a look together.

anderseknert avatar Sep 29 '25 22:09 anderseknert

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.

stale[bot] avatar Oct 30 '25 00:10 stale[bot]