[SERVER-67263] Reject InsertUpdatePayload with mismatched IndexKeyId Created: 14/Jun/22  Updated: 29/Oct/23  Resolved: 28/Jul/22

Status: Closed
Project: Core Server
Component/s: Field Level Encryption
Affects Version/s: None
Fix Version/s: 6.1.0-rc0

Type: Improvement Priority: Major - P3
Reporter: Kevin Albertson Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Minor Change
Sprint: Security 2022-07-11, Security 2022-07-25, Security 2022-08-08
Participants:

 Description   

Scope

  • Return an error when receiving an InsertUpdatePayload with a mismatched IndexKeyId.

Background & Motivation

The InsertUpdatePayload includes the IndexKeyId here.

The IndexKeyId is expected to match the "keyId" specified on encryptedFields. A mistaken insert with an incorrect IndexKeyId results in incorrect query results and non-obvious errors.

Example 1:

  • encryptedFields uses key1ID
  • Insert with UserKeyID=key1ID IndexKeyID=key2ID
  • Find with IndexKeyID=key1ID

Will not find the inserted document.

Example 2:

  • encryptedFields uses key1ID
  • Insert with UserKeyID=key1ID IndexKeyID=key2ID
  • Delete with IndexKeyID=key2ID

Returns this server error:

Invalid advance (5391210624386066) past end of buffer[188] at offset: 8

These scenarios were tested with the Go driver here and can be run with:

go test -v -tags cse -count=1 ./mongo/integration -run TestClientSideEncryptionProse/explicit_encryption/case_6


Generated at Thu Feb 08 06:07:41 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.