[SERVER-64911] Ban comparisons to encrypted fields in collection validator and partialFilterExpression Created: 24/Mar/22  Updated: 29/Oct/23  Resolved: 03/May/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 6.0.0-rc5, 6.1.0-rc0

Type: Bug Priority: Major - P3
Reporter: Nicholas Zolnierz Assignee: Davis Haupt (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Documented
is documented by DOCS-15305 [Server] Investigate changes in SERVE... Ready for Work
Related
is related to MONGOCRYPT-463 collMod with FLE1 does not allow sett... Closed
Backwards Compatibility: Minor Change
Backport Requested:
v6.0
Sprint: QO 2022-05-02, QO 2022-05-16
Participants:

 Description   

The create, collMod, and createIndex commands all bypass query analysis, however they contain match expressions which may refer to encrypted fields.



 Comments   
Comment by Githook User [ 09/May/22 ]

Author:

{'name': 'Davis Haupt', 'email': 'davis.haupt@mongodb.com', 'username': 'davish'}

Message: SERVER-64911 Add create, collMod and createIndexes to list of commands to send to encryption
Branch: v6.0
https://github.com/mongodb/mongo/commit/5b6dfa169031f8e0d68d5d2ce665c4d977d06494

Comment by Githook User [ 09/May/22 ]

Author:

{'name': 'Davis Haupt', 'email': 'davis.haupt@mongodb.com', 'username': 'davish'}

Message: SERVER-64911 Ban comparisons to encrypted fields in collection validator and partialFilterExpression
Branch: v6.0
https://github.com/10gen/mongo-enterprise-modules/commit/8dcdcb47bc4e5a77f04cf76718c2dedb62a0f895

Comment by Githook User [ 03/May/22 ]

Author:

{'name': 'Davis Haupt', 'email': 'davis.haupt@mongodb.com', 'username': 'davish'}

Message: SERVER-64911 Add create, collMod and createIndexes to list of commands to send to encryption
Branch: master
https://github.com/mongodb/mongo/commit/715f5b29f4c1a689d6ff363b12beabc1ae8d5e6e

Comment by Githook User [ 03/May/22 ]

Author:

{'name': 'Davis Haupt', 'email': 'davis.haupt@mongodb.com', 'username': 'davish'}

Message: SERVER-64911 Ban comparisons to encrypted fields in collection validator and partialFilterExpression
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/68ea8c2bf939a22c5eabedea477f05560584848d

Comment by Nicholas Zolnierz [ 19/Apr/22 ]

After discussing with jacob.evans@mongodb.com and kevin.albertson@mongodb.com, we'll go ahead and schedule this in the next sprint or two to implement the safeguard in query analysis. The simplest "fix" is likely to ban any encrypted references in a validator/partialFilterExpression, since this doesn't require any server-side rewrites. Perhaps a follow-up ticket to actually support marking comparisons in these contexts is worth filing as well.

Generated at Thu Feb 08 06:01:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.