PHPC-2151: Validate masterKey option in createDataKey() and rewrapManyDataKey()

Author: jmikola

src/MongoDB/ClientEncryption.c

@@ -407,9 +407,15 @@ static PHP_METHOD(MongoDB_Driver_ClientEncryption, rewrapManyDataKey)
 	}
 
 	if (options && php_array_existsc(options, "masterKey")) {
-		masterkey = bson_new();
+		zval* zmasterkey = php_array_fetchc(options, "masterKey");
 
-		php_phongo_zval_to_bson(php_array_fetchc(options, "masterKey"), PHONGO_BSON_NONE, masterkey, NULL);
+		if (Z_TYPE_P(zmasterkey) != IS_OBJECT && Z_TYPE_P(zmasterkey) != IS_ARRAY) {
+			phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT, "Expected \"masterKey\" option to be array or object, %s given", PHONGO_ZVAL_CLASS_OR_TYPE_NAME_P(zmasterkey));
+			goto cleanup;
+		}
+
+		masterkey = bson_new();
+		php_phongo_zval_to_bson(zmasterkey, PHONGO_BSON_NONE, masterkey, NULL);
 
 		if (EG(exception)) {
 			goto cleanup;
@@ -752,9 +758,16 @@ static mongoc_client_encryption_datakey_opts_t* phongo_clientencryption_datakey_
 	}
 
 	if (php_array_existsc(options, "masterKey")) {
-		bson_t masterkey = BSON_INITIALIZER;
+		zval*  zmasterkey = php_array_fetchc(options, "masterKey");
+		bson_t masterkey  = BSON_INITIALIZER;
+
+		if (Z_TYPE_P(zmasterkey) != IS_OBJECT && Z_TYPE_P(zmasterkey) != IS_ARRAY) {
+			phongo_throw_exception(PHONGO_ERROR_INVALID_ARGUMENT, "Expected \"masterKey\" option to be array or object, %s given", PHONGO_ZVAL_CLASS_OR_TYPE_NAME_P(zmasterkey));
+			goto cleanup;
+		}
+
+		php_phongo_zval_to_bson(zmasterkey, PHONGO_BSON_NONE, &masterkey, NULL);
 
-		php_phongo_zval_to_bson(php_array_fetchc(options, "masterKey"), PHONGO_BSON_NONE, &masterkey, NULL);
 		if (EG(exception)) {
 			bson_destroy(&masterkey);
 			goto cleanup;

tests/clientEncryption/clientEncryption-createDataKey_error-003.phpt

@@ -0,0 +1,28 @@
+--TEST--
+MongoDB\Driver\ClientEncryption::createDataKey() masterKey option invalid type
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
+<?php skip_if_not_libmongocrypt(); ?>
+<?php skip_if_not_live(); ?>
+--FILE--
+<?php
+
+require_once __DIR__ . "/../utils/basic.inc";
+
+$manager = create_test_manager();
+$clientEncryption = $manager->createClientEncryption([
+    'keyVaultNamespace' => CSFLE_KEY_VAULT_NS,
+    'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary(CSFLE_LOCAL_KEY, 0)]],
+]);
+
+echo throws(function () use ($clientEncryption) {
+    $clientEncryption->createDataKey('local', ['masterKey' => 'not-array-or-object']);
+}, MongoDB\Driver\Exception\InvalidArgumentException::class), "\n";
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+OK: Got MongoDB\Driver\Exception\InvalidArgumentException
+Expected "masterKey" option to be array or object, string given
+===DONE===

tests/clientEncryption/clientEncryption-rewrapManyDataKey_error-001.phpt

@@ -0,0 +1,30 @@
+--TEST--
+MongoDB\Driver\ClientEncryption::rewrapManyDataKey() masterKey option invalid type
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"; ?>
+<?php skip_if_not_libmongocrypt(); ?>
+<?php skip_if_not_live(); ?>
+<?php skip_if_not_clean(CSFLE_KEY_VAULT_DATABASE_NAME, CSFLE_KEY_VAULT_COLLECTION_NAME);
+--FILE--
+<?php
+
+require_once __DIR__ . "/../utils/basic.inc";
+
+$manager = create_test_manager();
+
+$clientEncryption = $manager->createClientEncryption([
+  'keyVaultNamespace' => CSFLE_KEY_VAULT_NS,
+  'kmsProviders' => ['local' => ['key' => new MongoDB\BSON\Binary(CSFLE_LOCAL_KEY, 0)]],
+]);
+
+echo throws(function () use ($clientEncryption) {
+    $clientEncryption->rewrapManyDataKey([], ['masterKey' => 'not-array-or-object']);
+}, MongoDB\Driver\Exception\InvalidArgumentException::class), "\n";
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+OK: Got MongoDB\Driver\Exception\InvalidArgumentException
+Expected "masterKey" option to be array or object, string given
+===DONE===