Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-41941

[FLE] Shell doesn't decrypt BinData type 6 returned with getMore calls

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.2.0-rc4
    • Component/s: Shell
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Requested:
      v4.2
    • Steps To Reproduce:
      Hide

      Add the snippet shown in the diff below to the bottom of testDeterministicCollection() in jstests/fle/fle_implicit_encryption.js in the enterprise module:

      diff --git a/jstests/fle/fle_implicit_encryption.js b/jstests/fle/fle_implicit_encryption.js
      index c5f6c3e..8da488b 100644
      --- a/jstests/fle/fle_implicit_encryption.js
      +++ b/jstests/fle/fle_implicit_encryption.js
      @@ -118,6 +118,17 @@ load('jstests/ssl/libs/ssl_helpers.js');
               unencryptedCollection.insert({"name": "Shreyas", "ssn": encryptedDeterministicSSN});
               assert.eq(1, encryptedCollection.count({"ssn": NumberInt(987654321)}));
       
      +        for (let i = 0; i < 128; i++) {
      +            unencryptedCollection.insertOne({
      +                name: 'Davis' + i,
      +                'ssn': encryptedShell.getClientEncryption().encrypt(
      +                    keyId, NumberInt(i), deterministicAlgorithm)
      +            });
      +        }
      +        let results = encryptedCollection.aggregate([]).toArray();
      +        for (let i = 0; i < results.length; i++) {
      +            assert.eq(false, results[i].ssn instanceof BinData, results[i]);
      +        }
               // Will add tests for aggregate once query implements it.
               // TODO : File ticket if this goes in before query work is finished.
           };
      
      

      Changing 128 to a smaller number, like 10, will make the test pass, since then .toArray() won't have to call getMore().

      Show
      Add the snippet shown in the diff below to the bottom of testDeterministicCollection() in jstests/fle/fle_implicit_encryption.js in the enterprise module: diff --git a/jstests/fle/fle_implicit_encryption.js b/jstests/fle/fle_implicit_encryption.js index c5f6c3e..8da488b 100644 --- a/jstests/fle/fle_implicit_encryption.js +++ b/jstests/fle/fle_implicit_encryption.js @@ - 118 , 6 + 118 , 17 @@ load( 'jstests/ssl/libs/ssl_helpers.js' ); unencryptedCollection.insert({ "name" : "Shreyas" , "ssn" : encryptedDeterministicSSN}); assert .eq( 1 , encryptedCollection.count({ "ssn" : NumberInt( 987654321 )})); + for (let i = 0 ; i < 128 ; i++) { + unencryptedCollection.insertOne({ + name: 'Davis' + i, + 'ssn' : encryptedShell.getClientEncryption().encrypt( + keyId, NumberInt(i), deterministicAlgorithm) + }); + } + let results = encryptedCollection.aggregate([]).toArray(); + for (let i = 0 ; i < results.length; i++) { + assert .eq( false , results[i].ssn instanceof BinData, results[i]); + } // Will add tests for aggregate once query implements it. // TODO : File ticket if this goes in before query work is finished. }; Changing 128 to a smaller number, like 10, will make the test pass, since then .toArray() won't have to call getMore().
    • Sprint:
      Security 2019-07-15

      Description

      In the FLE enabled shell, it seems like BinData type 6 isn't decrypted as it should be when documents are fetched in getMore calls. When running an aggregation against the FLE-enabled shell which returns more than 101 documents, the first 101 are decrypted properly, while all the rest contain BinData. For example, one document looks like this:

       

      {
      	"_id" : "u49",
      	"patient" : {
      		"name" : BinData(6,"AYgJLpLd8ku+jV8arok6P4MCvO7xtz7j1/LauGMFhdUxX+SI+yu16CcSi8vRMOVyE1ngPSeI777Q1jq33H0AupCrbovf1AnNoJxMG9XoiS7KEg==")
       
      	},
      	"doctor" : {
      		"name" : BinData(6,"AYgJLpLd8ku+jV8arok6P4MCXX2OS/ntRC87Kczz+iwaudQr95q0upAo3A7pifESuOw0NmjnMZIQsyKyzoKkYGMfiPjCcr7sIX4+j7lIcBI8zw==")
      	}
      }
      

      When it should look like this:

       

      {
      	"_id" : "u49",
      	"patient" : {
      		"name" : "D6"
      	},
      	"doctor" : {
      		"name" : "AA"
      	}
      }
      

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: