Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-10695

Redact pipeline: Subobject without security markings causes aggregate to fail

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 2.5.2
    • Component/s: Aggregation Framework
    • None
    • Environment:
      Mac OS X, MongoDB 2.5.2
    • OS X
    • Hide

      t = db.redact_tests;
      t.drop();

      t.save({
      _id: 1,
      sl: [["GroupA"], ["GroupA", "GroupB"]],

      text: "A or B Can see this",

      subObjectWithSL:

      { sl: [["GroupB"]], text: "Only B can see this" }

      ,

      anotherSubObjectWithSL:

      { sl: [["GroupA"]], text: "All users with doc access can see this" }

      ,

      /* subObjectWithoutSL:

      { text: "This blows up the redactor when uncommented" }

      */

      arrayWithUnMarkedSubObjects: [

      {sl:[["GroupA"]], text: "I can see this"}

      ,
      //

      {text: "This blows up the redactor when uncommented"}

      ,
      "Not an object"
      ]
      });

      t.aggregate([
      {$redact:{ $cond: [
      {$any:[
      {
      $map: {
      input: "$sl",
      as: "setNeeded",
      in:

      { $setIsSubset: ["$$setNeeded", ["GroupA", "GroupB"]] }

      }
      }
      ]},
      "$$CONTINUE",
      "$$PRUNE"
      ]}}
      ]);

      Show
      t = db.redact_tests; t.drop(); t.save({ _id: 1, sl: [ ["GroupA"] , ["GroupA", "GroupB"] ], text: "A or B Can see this", subObjectWithSL: { sl: [["GroupB"]], text: "Only B can see this" } , anotherSubObjectWithSL: { sl: [["GroupA"]], text: "All users with doc access can see this" } , /* subObjectWithoutSL: { text: "This blows up the redactor when uncommented" } */ arrayWithUnMarkedSubObjects: [ {sl:[["GroupA"]], text: "I can see this"} , // {text: "This blows up the redactor when uncommented"} , "Not an object" ] }); t.aggregate([ {$redact:{ $cond: [ {$any:[ { $map: { input: "$sl", as: "setNeeded", in: { $setIsSubset: ["$$setNeeded", ["GroupA", "GroupB"]] } } } ]}, "$$CONTINUE", "$$PRUNE" ]}} ]);
    • None
    • 3
    • None
    • None
    • None
    • None
    • None
    • None

      If a subobject, whether or not it is in an array does not contain the field that we are checking for in a $redact using the $any operator, the aggregate command returns an error.

      To see the problem, uncomment lines from the "Steps To Reproduce sections"

      Error: Printing Stack Trace
      at printStackTrace (src/mongo/shell/utils.js:37:15)
      at DBCollection.aggregate (src/mongo/shell/collection.js:927:9)
      at (shell):1:3
      2013-09-06T11:49:43.683-0400 aggregate failed: {
      "errmsg" : "exception: $any's argument must be an array, but is NULL",
      "code" : 17041,
      "ok" : 0
      } at src/mongo/shell/collection.js:928

      This is contrary to the behavior implied in the jstests where there are subobjects without the "level" key (see the f: in the subobject). Probably because that $redact doesn't use $any in its condition
      https://github.com/mongodb/mongo/blob/master/jstests/aggregation/bugs/server8581.js

      d: [

      {level: 1, e: 4}

      ,

      {f: 6}

      ,

      {level: 5, g: 9}

      ,
      "NOT AN OBJECT!!11!" // always included when b is included
      ]

            Assignee:
            matt.dannenberg Matt Dannenberg (Inactive)
            Reporter:
            david.erickson David Erickson (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: