| Steps To Reproduce: |
Run the following script against mongocryptd:
const jsonSchema = {
|
type: "object",
|
properties: {
|
user: {
|
type: "object",
|
properties: {
|
ssn: {
|
encrypt: {
|
algorithm: "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic",
|
keyId: [UUID()],
|
bsonType: "string"
|
}
|
}
|
}
|
}
|
}
|
};
|
|
const pipeline =
|
[{$redact: {$cond: {if: {$eq: ["$ssn", "123-45-6789"]}, then: "$$PRUNE", else: "$$DESCEND"}}}];
|
|
printjson(db.runCommand({
|
aggregate: "c",
|
pipeline: pipeline,
|
cursor: {},
|
isRemoteSchema: false,
|
jsonSchema: jsonSchema
|
}));
|
This produces the following output:
{
|
"hasEncryptionPlaceholders" : false,
|
"schemaRequiresEncryption" : true,
|
"result" : {
|
"aggregate" : "c",
|
"pipeline" : [
|
{
|
"$redact" : {
|
"$cond" : [
|
{
|
"$eq" : [
|
"$ssn",
|
{
|
"$const" : "123-45-6789"
|
}
|
]
|
},
|
"$$PRUNE",
|
"$$DESCEND"
|
]
|
}
|
}
|
],
|
"cursor" : {
|
|
},
|
"lsid" : {
|
"id" : UUID("0506dff3-cdf4-4dde-afb3-d31221391d45")
|
}
|
},
|
"ok" : 1
|
}
|
The important thing to note is that the social security number in the query is not marked for encryption. The system would send it across the wire as plaintext.
Since it is possible for the SSN in the query to be compared both to encrypted and unencrypted data, the correct behavior would be for mongocryptd to return an error.
|