Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-64113

unsafe cast in match expression can allow insertion of malformed FLE1-encrypted fields

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major - P3 Major - P3
    • None
    • None
    • None
    • None
    • Fully Compatible
    • ALL
    • QO 2022-03-21, QO 2022-04-04, QO 2022-04-18

    Description

      The matchesSingleElement() function of the InternalSchemaBinDataEncryptedTypeExpression match expression checks an FLE1-encrypted BinData field to determine whether the first byte of the encrypted blob has the correct value (either 0x01 for 'deterministic', or 0x02 for 'random'). Then, it performs an unsafe cast of the BinData to a FleBlobHeader structure, without first checking the size, before reading and verifying the originalBsonType field of the header, which could potentially be outside the actual binary data buffer. If the BinData input is somehow malformed such that it is shorter than the size of FleBlobHeader, and the subsequent bytes in the BSON object have the correct values so as to pass validation of the type, then the match expression could allow this malformed document to pass schema validation of FLE1 fields, and therefore allow it to be inserted.

      Attachments

        Activity

          People

            jacob.evans@mongodb.com Jacob Evans
            erwin.pe@mongodb.com Erwin Pe
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: