[SERVER-41941] [FLE] Shell doesn't decrypt BinData type 6 returned with getMore calls Created: 26/Jun/19  Updated: 29/Oct/23  Resolved: 02/Jul/19

Status: Closed
Project: Core Server
Component/s: Shell
Affects Version/s: None
Fix Version/s: 4.2.0-rc4

Type: Bug Priority: Major - P3
Reporter: Davis Haupt (Inactive) Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.2
Steps To Reproduce:

Add the snippet shown in the diff below to the bottom of testDeterministicCollection() in jstests/fle/fle_implicit_encryption.js in the enterprise module:

diff --git a/jstests/fle/fle_implicit_encryption.js b/jstests/fle/fle_implicit_encryption.js
index c5f6c3e..8da488b 100644
--- a/jstests/fle/fle_implicit_encryption.js
+++ b/jstests/fle/fle_implicit_encryption.js
@@ -118,6 +118,17 @@ load('jstests/ssl/libs/ssl_helpers.js');
         unencryptedCollection.insert({"name": "Shreyas", "ssn": encryptedDeterministicSSN});
         assert.eq(1, encryptedCollection.count({"ssn": NumberInt(987654321)}));
 
+        for (let i = 0; i < 128; i++) {
+            unencryptedCollection.insertOne({
+                name: 'Davis' + i,
+                'ssn': encryptedShell.getClientEncryption().encrypt(
+                    keyId, NumberInt(i), deterministicAlgorithm)
+            });
+        }
+        let results = encryptedCollection.aggregate([]).toArray();
+        for (let i = 0; i < results.length; i++) {
+            assert.eq(false, results[i].ssn instanceof BinData, results[i]);
+        }
         // Will add tests for aggregate once query implements it.
         // TODO : File ticket if this goes in before query work is finished.
     };

Changing 128 to a smaller number, like 10, will make the test pass, since then .toArray() won't have to call getMore().

Sprint: Security 2019-07-15
Participants:

 Description   

In the FLE enabled shell, it seems like BinData type 6 isn't decrypted as it should be when documents are fetched in getMore calls. When running an aggregation against the FLE-enabled shell which returns more than 101 documents, the first 101 are decrypted properly, while all the rest contain BinData. For example, one document looks like this:

 

{
	"_id" : "u49",
	"patient" : {
		"name" : BinData(6,"AYgJLpLd8ku+jV8arok6P4MCvO7xtz7j1/LauGMFhdUxX+SI+yu16CcSi8vRMOVyE1ngPSeI777Q1jq33H0AupCrbovf1AnNoJxMG9XoiS7KEg==")
 
	},
	"doctor" : {
		"name" : BinData(6,"AYgJLpLd8ku+jV8arok6P4MCXX2OS/ntRC87Kczz+iwaudQr95q0upAo3A7pifESuOw0NmjnMZIQsyKyzoKkYGMfiPjCcr7sIX4+j7lIcBI8zw==")
	}
}

When it should look like this:

 

{
	"_id" : "u49",
	"patient" : {
		"name" : "D6"
	},
	"doctor" : {
		"name" : "AA"
	}
}



 Comments   
Comment by Githook User [ 12/Jul/19 ]

Author:

{'name': 'Mark Benvenuto', 'username': 'markbenvenuto', 'email': 'mark.benvenuto@mongodb.com'}

Message: SERVER-41941 Shell doesn't decrypt BinData type 6 returned with getMore call

(cherry picked from commit ed93777d454809e649c66511ed8e48653befe767)
Branch: v4.2
https://github.com/10gen/mongo-enterprise-modules/commit/d9d19b3662944e3944f5ef52d23a9790bad177ef

Comment by Githook User [ 02/Jul/19 ]

Author:

{'name': 'Mark Benvenuto', 'username': 'markbenvenuto', 'email': 'mark.benvenuto@mongodb.com'}

Message: SERVER-41941 Shell doesn't decrypt BinData type 6 returned with getMore call
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/ed93777d454809e649c66511ed8e48653befe767

Comment by Davis Haupt (Inactive) [ 26/Jun/19 ]

mark.benvenuto@mongodb.com shreyas.kalyan This bug came up when writing integration tests for Query using implicit encryption/decryption in the shell. Let me know if there's any other info you might need from me.

Generated at Thu Feb 08 04:59:07 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.