Invalid bsonTypes are accepted by encrypt

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Major - P3
    • None
    • Affects Version/s: 8.2.11
    • Component/s: None
    • None
    • Server Security
    • ALL
    • Hide
      const dbName = "test";
      const auditDb = db.getSiblingDB(dbName);
      
      function resetDb() {
      constres=auditDb.dropDatabase();
      if (!res.ok) {
      thrownewError("dropDatabase failed: "+tojson(res));
      }
      }
      
      function tryCreate(collName, schema) {
      returnauditDb.runCommand({
      create:collName,
      validator: \{$jsonSchema:schema},
      });
      }
      
      resetDb();
      
      const deterministicMissingBsonType = {
      properties: {
      secret: {
      encrypt: {
      algorithm:"AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
      keyId: [UUID()]
      }
      }
      }
      };
      
      const encryptNullBsonType = {
      properties: {
      secret: {
      encrypt: {
      algorithm:"AEAD_AES_256_CBC_HMAC_SHA_512-Random",
      bsonType:"null",
      keyId: [UUID()]
      }
      }
      }
      };
      
      const results = {
      deterministicMissingBsonType:tryCreate("missing_bson_type", deterministicMissingBsonType),
      encryptNullBsonType:tryCreate("null_bson_type", encryptNullBsonType),
      };
      
      printjson(results);
      
      Show
      const dbName = "test" ; const auditDb = db.getSiblingDB(dbName); function resetDb() { constres=auditDb.dropDatabase(); if (!res.ok) { thrownewError( "dropDatabase failed: " +tojson(res)); } } function tryCreate(collName, schema) { returnauditDb.runCommand({ create:collName, validator: \{$jsonSchema:schema}, }); } resetDb(); const deterministicMissingBsonType = { properties: { secret: { encrypt: { algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic" , keyId: [UUID()] } } } }; const encryptNullBsonType = { properties: { secret: { encrypt: { algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Random" , bsonType: " null " , keyId: [UUID()] } } } }; const results = { deterministicMissingBsonType:tryCreate( "missing_bson_type" , deterministicMissingBsonType), encryptNullBsonType:tryCreate( "null_bson_type" , encryptNullBsonType), }; printjson(results);
    • Server Security 2026-07-03
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Hi,

       

      Based on the document in https://www.mongodb.com/docs/manual/core/csfle/reference/encryption-schemas/#mongodb-autoencryptkeyword-autoencryptkeyword.encrypt.bsonType, when the encrypt.algorithm is AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic, the bsonType field is required. However, I found that when this field is missed, the data can also be accepted.

       

      Furthermore, when this field is NULL, the data can also be accepted, which is not supported based on the document.

      This is an example:

       

      const dbName = "test";
      const auditDb = db.getSiblingDB(dbName);
      
      function resetDb() {
      constres=auditDb.dropDatabase();
      if (!res.ok) {
      thrownewError("dropDatabase failed: "+tojson(res));
      }
      }
      
      function tryCreate(collName, schema) {
      returnauditDb.runCommand({
      create:collName,
      validator: \{$jsonSchema:schema},
      });
      }
      
      resetDb();
      
      const deterministicMissingBsonType = {
      properties: {
      secret: {
      encrypt: {
      algorithm:"AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
      keyId: [UUID()]
      }
      }
      }
      };
      
      const encryptNullBsonType = {
      properties: {
      secret: {
      encrypt: {
      algorithm:"AEAD_AES_256_CBC_HMAC_SHA_512-Random",
      bsonType:"null",
      keyId: [UUID()]
      }
      }
      }
      };
      
      const results = {
      deterministicMissingBsonType:tryCreate("missing_bson_type", deterministicMissingBsonType),
      encryptNullBsonType:tryCreate("null_bson_type", encryptNullBsonType),
      };
      
      printjson(results);
      

       

      This is the output:

      
      {
        deterministicMissingBsonType: {
          ok: 1
        },
        encryptNullBsonType: {
          ok: 1
        }
      }
      
      

            Assignee:
            Erwin Pe
            Reporter:
            Chi Zhang (EXT)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: