SERVER-40516 Ban single-valued BSON types in encrypt object

2 files changed, 79 insertions, 0 deletions

diff --git a/src/mongo/db/matcher/schema/json_schema_parser.cpp b/src/mongo/db/matcher/schema/json_schema_parser.cpp
index 9d3833e4f73..26530809d45 100644
--- a/src/mongo/db/matcher/schema/json_schema_parser.cpp
+++ b/src/mongo/db/matcher/schema/json_schema_parser.cpp
@@ -1373,6 +1373,20 @@ Status translateEncryptionKeywords(StringMap<BSONElement>& keywordMap,
                         ((infoType && infoType.get().typeSet().isSingleType()) &&
                          !infoType.get().typeSet().hasType(BSONType::Object)));
 
+            if (auto bsonType = encryptInfo.getBsonType()) {
+                auto typeSet = bsonType->typeSet();
+                auto checkType = [typeSet](BSONType typeToCheck) {
+                    uassert(31041,
+                            std::string("Cannot encrypt single-valued type")
+                                .append(typeName(typeToCheck)),
+                            !typeSet.hasType(typeToCheck));
+                };
+                checkType(BSONType::MinKey);
+                checkType(BSONType::MaxKey);
+                checkType(BSONType::Undefined);
+                checkType(BSONType::jstNULL);
+            }
+
             andExpr->add(new InternalSchemaBinDataSubTypeExpression(path, BinDataType::Encrypt));
 
             if (auto typeOptional = infoType)
diff --git a/src/mongo/db/matcher/schema/json_schema_parser_test.cpp b/src/mongo/db/matcher/schema/json_schema_parser_test.cpp
index becdcaada87..b6b5c2c3ce9 100644
--- a/src/mongo/db/matcher/schema/json_schema_parser_test.cpp
+++ b/src/mongo/db/matcher/schema/json_schema_parser_test.cpp
@@ -29,6 +29,7 @@
 
 #include "mongo/platform/basic.h"
 
+#include "mongo/bson/bsonobjbuilder.h"
 #include "mongo/bson/json.h"
 #include "mongo/db/bson/bson_helper.h"
 #include "mongo/db/matcher/expression_always_boolean.h"
@@ -2234,5 +2235,69 @@ TEST(JSONSchemaParserTest, FailsToParseWithObjectInArrayBSONTypeInDeterministicE
     ASSERT_EQ(result.getStatus().code(), 31051);
 }
 
+TEST(JSONSchemaParserTest, FailsToParseWithSingleValueBSONTypeInEncryptObject) {
+    auto uuid = UUID::gen();
+    // Test MinKey
+    BSONObj encrypt = BSON("encrypt" << BSON("algorithm"
+                                             << "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
+                                             << "initializationVector"
+                                             << BSONBinData(NULL, 0, BinDataType::BinDataGeneral)
+                                             << "bsonType"
+                                             << "minKey"
+                                             << "keyId"
+                                             << BSON_ARRAY(uuid)));
+    BSONObj schema = BSON("type"
+                          << "object"
+                          << "properties"
+                          << BSON("foo" << encrypt));
+    auto result = JSONSchemaParser::parse(new ExpressionContextForTest(), schema);
+    ASSERT_EQ(result.getStatus().code(), 31041);
+    // Test MaxKey
+    encrypt = BSON("encrypt" << BSON("algorithm"
+                                     << "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
+                                     << "initializationVector"
+                                     << BSONBinData(NULL, 0, BinDataType::BinDataGeneral)
+                                     << "bsonType"
+                                     << "maxKey"
+                                     << "keyId"
+                                     << BSON_ARRAY(uuid)));
+    schema = BSON("type"
+                  << "object"
+                  << "properties"
+                  << BSON("foo" << encrypt));
+    result = JSONSchemaParser::parse(new ExpressionContextForTest(), schema);
+    ASSERT_EQ(result.getStatus().code(), 31041);
+    // Test Undefined
+    encrypt = BSON("encrypt" << BSON("algorithm"
+                                     << "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
+                                     << "initializationVector"
+                                     << BSONBinData(NULL, 0, BinDataType::BinDataGeneral)
+                                     << "bsonType"
+                                     << "undefined"
+                                     << "keyId"
+                                     << BSON_ARRAY(uuid)));
+    schema = BSON("type"
+                  << "object"
+                  << "properties"
+                  << BSON("foo" << encrypt));
+    result = JSONSchemaParser::parse(new ExpressionContextForTest(), schema);
+    ASSERT_EQ(result.getStatus().code(), 31041);
+    // Test Null
+    encrypt = BSON("encrypt" << BSON("algorithm"
+                                     << "AEAD_AES_256_CBC_HMAC_SHA_512-Deterministic"
+                                     << "initializationVector"
+                                     << BSONBinData(NULL, 0, BinDataType::BinDataGeneral)
+                                     << "bsonType"
+                                     << "null"
+                                     << "keyId"
+                                     << BSON_ARRAY(uuid)));
+    schema = BSON("type"
+                  << "object"
+                  << "properties"
+                  << BSON("foo" << encrypt));
+    result = JSONSchemaParser::parse(new ExpressionContextForTest(), schema);
+    ASSERT_EQ(result.getStatus().code(), 31041);
+}
+
 }  // namespace
 }  // namespace mongo