OPA-01-002: Query API vulnerable to SSRF attack

The Query API allows callers to execute ad-hoc Rego queries. Currently the queries are not sanitized which means that callers could include built-in calls like `http.send` (which execute on behalf of OPA). We can mitigate this kind of attack by rejecting incoming queries that invoke potentially unsafe calls like `http.send`.