Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-41941

[FLE] Shell doesn't decrypt BinData type 6 returned with getMore calls

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.2.0-rc4
    • Affects Version/s: None
    • Component/s: Shell
    • None
    • Fully Compatible
    • ALL
    • v4.2
    • Hide

      Add the snippet shown in the diff below to the bottom of testDeterministicCollection() in jstests/fle/fle_implicit_encryption.js in the enterprise module:

      diff --git a/jstests/fle/fle_implicit_encryption.js b/jstests/fle/fle_implicit_encryption.js
      index c5f6c3e..8da488b 100644
      --- a/jstests/fle/fle_implicit_encryption.js
      +++ b/jstests/fle/fle_implicit_encryption.js
      @@ -118,6 +118,17 @@ load('jstests/ssl/libs/ssl_helpers.js');
               unencryptedCollection.insert({"name": "Shreyas", "ssn": encryptedDeterministicSSN});
               assert.eq(1, encryptedCollection.count({"ssn": NumberInt(987654321)}));
       
      +        for (let i = 0; i < 128; i++) {
      +            unencryptedCollection.insertOne({
      +                name: 'Davis' + i,
      +                'ssn': encryptedShell.getClientEncryption().encrypt(
      +                    keyId, NumberInt(i), deterministicAlgorithm)
      +            });
      +        }
      +        let results = encryptedCollection.aggregate([]).toArray();
      +        for (let i = 0; i < results.length; i++) {
      +            assert.eq(false, results[i].ssn instanceof BinData, results[i]);
      +        }
               // Will add tests for aggregate once query implements it.
               // TODO : File ticket if this goes in before query work is finished.
           };
      
      

      Changing 128 to a smaller number, like 10, will make the test pass, since then .toArray() won't have to call getMore().

      Show
      Add the snippet shown in the diff below to the bottom of testDeterministicCollection() in jstests/fle/fle_implicit_encryption.js in the enterprise module: diff --git a/jstests/fle/fle_implicit_encryption.js b/jstests/fle/fle_implicit_encryption.js index c5f6c3e..8da488b 100644 --- a/jstests/fle/fle_implicit_encryption.js +++ b/jstests/fle/fle_implicit_encryption.js @@ -118,6 +118,17 @@ load( 'jstests/ssl/libs/ssl_helpers.js' ); unencryptedCollection.insert({ "name" : "Shreyas" , "ssn" : encryptedDeterministicSSN}); assert .eq(1, encryptedCollection.count({ "ssn" : NumberInt(987654321)})); + for (let i = 0; i < 128; i++) { + unencryptedCollection.insertOne({ + name: 'Davis' + i, + 'ssn' : encryptedShell.getClientEncryption().encrypt( + keyId, NumberInt(i), deterministicAlgorithm) + }); + } + let results = encryptedCollection.aggregate([]).toArray(); + for (let i = 0; i < results.length; i++) { + assert .eq( false , results[i].ssn instanceof BinData, results[i]); + } // Will add tests for aggregate once query implements it. // TODO : File ticket if this goes in before query work is finished. }; Changing 128 to a smaller number, like 10, will make the test pass, since then .toArray() won't have to call getMore().
    • Security 2019-07-15

      In the FLE enabled shell, it seems like BinData type 6 isn't decrypted as it should be when documents are fetched in getMore calls. When running an aggregation against the FLE-enabled shell which returns more than 101 documents, the first 101 are decrypted properly, while all the rest contain BinData. For example, one document looks like this:

       

      {
      	"_id" : "u49",
      	"patient" : {
      		"name" : BinData(6,"AYgJLpLd8ku+jV8arok6P4MCvO7xtz7j1/LauGMFhdUxX+SI+yu16CcSi8vRMOVyE1ngPSeI777Q1jq33H0AupCrbovf1AnNoJxMG9XoiS7KEg==")
      
      	},
      	"doctor" : {
      		"name" : BinData(6,"AYgJLpLd8ku+jV8arok6P4MCXX2OS/ntRC87Kczz+iwaudQr95q0upAo3A7pifESuOw0NmjnMZIQsyKyzoKkYGMfiPjCcr7sIX4+j7lIcBI8zw==")
      	}
      }
      

      When it should look like this:

       

      {
      	"_id" : "u49",
      	"patient" : {
      		"name" : "D6"
      	},
      	"doctor" : {
      		"name" : "AA"
      	}
      }
      

            Assignee:
            mark.benvenuto@mongodb.com Mark Benvenuto
            Reporter:
            davis.haupt@mongodb.com Davis Haupt (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: