Merge branch '6.x' into vkarpov15/gh-13191-2

.github/workflows/test.yml

@@ -96,7 +96,7 @@ jobs:
       - name: Setup Deno
         uses: denoland/setup-deno@v1
         with:
-          deno-version: v1.33.x
+          deno-version: v1.34.x
       - run: deno --version
       - run: npm install
       - name: Run Deno tests

CHANGELOG.md

@@ -1,3 +1,12 @@
+6.11.3 / 2023-07-11
+===================
+ * fix: avoid prototype pollution on init
+ * fix(schema): correctly handle uuids with populate() #13317 #13595
+
+6.11.2 / 2023-06-08
+===================
+ * fix(cursor): allow find middleware to modify query cursor options #13476 #13453 #13435
+
 6.11.1 / 2023-05-08
 ===================
  * fix(query): apply schema-level paths before calculating projection for findOneAndUpdate() #13348 #13340

docs/layout.pug

@@ -143,7 +143,7 @@ html(lang='en')
               li.pure-menu-item.sub-item
                 a.pure-menu-link(href=`${versions.versionedPath}/docs/api/virtualtype.html`, class=outputUrl === `${versions.versionedPath}/docs/api/virtualtype.html` ? 'selected' : '') VirtualType
               li.pure-menu-item
-                a.pure-menu-link(href=`${versions.versionedPath}/docs/migrating_to_7.html`, class=outputUrl === `${versions.versionedPath}/docs/migrating_to_7.html` ? 'selected' : '') Migration Guide
+                a.pure-menu-link(href=`${versions.versionedPath}/docs/migrating_to_6.html`, class=outputUrl === `${versions.versionedPath}/docs/migrating_to_7.html` ? 'selected' : '') Migration Guide
               li.pure-menu-item
                 a.pure-menu-link(href=`${versions.versionedPath}/docs/compatibility.html`, class=outputUrl === `${versions.versionedPath}/docs/compatibility.html` ? 'selected' : '') Version Compatibility
               li.pure-menu-item

lib/cursor/QueryCursor.js

@@ -66,6 +66,7 @@ function QueryCursor(query, options) {
       // Max out the number of documents we'll populate in parallel at 5000.
       this.options._populateBatchSize = Math.min(this.options.batchSize, 5000);
     }
+    Object.assign(this.options, query._optionsForExec());
     model.collection.find(query._conditions, this.options, (err, cursor) => {
       if (err != null) {
         _this._markError(err);

lib/document.js

@@ -740,6 +740,10 @@ function init(self, obj, doc, opts, prefix) {
 
   function _init(index) {
     i = keys[index];
+    // avoid prototype pollution
+    if (i === '__proto__' || i === 'constructor') {
+      return;
+    }
     path = prefix + i;
     schemaType = docSchema.path(path);
 

lib/schema/uuid.js

@@ -8,7 +8,6 @@ const MongooseBuffer = require('../types/buffer');
 const SchemaType = require('../schematype');
 const CastError = SchemaType.CastError;
 const utils = require('../utils');
-const isBsonType = require('../helpers/isBsonType');
 const handleBitwiseOperator = require('./operators/bitwise');
 
 const UUID_FORMAT = /[0-9a-f]{8}-[0-9a-f]{4}-[0-9][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}/i;
@@ -86,7 +85,13 @@ function binaryToString(uuidBin) {
 
 function SchemaUUID(key, options) {
   SchemaType.call(this, key, options, 'UUID');
-  this.getters.push(binaryToString);
+  this.getters.push(function(value) {
+    // For populated
+    if (value != null && value.$__ != null) {
+      return value;
+    }
+    return binaryToString(value);
+  });
 }
 
 /**
@@ -110,7 +115,7 @@ SchemaUUID.prototype.constructor = SchemaUUID;
  */
 
 SchemaUUID._cast = function(value) {
-  if (value === null) {
+  if (value == null) {
     return value;
   }
 
@@ -247,11 +252,8 @@ SchemaUUID.prototype.checkRequired = function checkRequired(value) {
  */
 
 SchemaUUID.prototype.cast = function(value, doc, init) {
-  if (SchemaType._isRef(this, value, doc, init)) {
-    if (isBsonType(value, 'UUID')) {
-      return value;
-    }
-
+  if (utils.isNonBuiltinObject(value) &&
+      SchemaType._isRef(this, value, doc, init)) {
     return this._castRef(value, doc, init);
   }
 

lib/schematype.js

@@ -1521,6 +1521,7 @@ SchemaType.prototype._castRef = function _castRef(value, doc, init) {
   const path = doc.$__fullPath(this.path, true);
   const owner = doc.ownerDocument();
   const pop = owner.$populated(path, true);
+
   let ret = value;
   if (!doc.$__.populated ||
     !doc.$__.populated[path] ||

lib/utils.js

@@ -4,6 +4,7 @@
  * Module dependencies.
  */
 
+const UUID = require('bson').UUID;
 const ms = require('ms');
 const mpath = require('mpath');
 const ObjectId = require('./types/objectid');
@@ -406,6 +407,7 @@ exports.isNonBuiltinObject = function isNonBuiltinObject(val) {
   return typeof val === 'object' &&
     !exports.isNativeObject(val) &&
     !exports.isMongooseType(val) &&
+    !(val instanceof UUID) &&
     val != null;
 };
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "mongoose",
   "description": "Mongoose MongoDB ODM",
-  "version": "6.11.1",
+  "version": "6.11.3",
   "author": "Guillermo Rauch <guillermo@learnboost.com>",
   "keywords": [
     "mongodb",

test/collection.capped.test.js

@@ -46,6 +46,7 @@ describe('collections: capped:', function() {
     capped.set('capped', { size: 1000 });
     const Capped = db.model('Test', capped, 'Test');
     await Capped.init();
+    await Capped.createCollection();
     await new Promise((resolve) => setTimeout(resolve, 100));
 
     const isCapped = await Capped.collection.isCapped();

test/connection.test.js

@@ -1011,21 +1011,6 @@ describe('connections:', function() {
     assert.throws(() => m.model('Test', Schema({ name: String })), /overwrite/);
   });
 
-  it('can use destructured `connect` and `disconnect` (gh-9597)', async function() {
-    const m = new mongoose.Mongoose();
-    const connect = m.connect;
-    const disconnect = m.disconnect;
-
-    await disconnect();
-    await new Promise((resolve) => setTimeout(resolve, 0));
-
-    const errorOnConnect = await connect(start.uri).then(() => null, err => err);
-    assert.ifError(errorOnConnect);
-
-    const errorOnDisconnect = await disconnect().then(() => null, err => err);
-    assert.ifError(errorOnDisconnect);
-  });
-
   describe('when connecting with a secondary read preference(gh-9374)', function() {
     describe('mongoose.connect', function() {
       it('forces autoIndex & autoCreate to be false if read preference is secondary or secondaryPreferred', async function() {

test/document.test.js

@@ -12278,6 +12278,24 @@ describe('document', function() {
     assert.equal(fromDb.obj.subArr.length, 1);
     assert.equal(fromDb.obj.subArr[0].str, 'subArr.test1');
   });
+
+  it('avoids prototype pollution on init', async function() {
+    const Example = db.model('Example', new Schema({ hello: String }));
+
+    const example = await new Example({ hello: 'world!' }).save();
+    await Example.findByIdAndUpdate(example._id, {
+      $rename: {
+        hello: '__proto__.polluted'
+      }
+    });
+
+    // this is what causes the pollution
+    await Example.find();
+
+    const test = {};
+    assert.strictEqual(test.polluted, undefined);
+    assert.strictEqual(Object.prototype.polluted, undefined);
+  });
 });
 
 describe('Check if instance function that is supplied in schema option is availabe', function() {

test/query.cursor.test.js

@@ -844,6 +844,30 @@ describe('QueryCursor', function() {
     const docs = await Example.find().sort('foo');
     assert.deepStrictEqual(docs.map(d => d.foo), ['example1', 'example2']);
   });
+
+  it('should allow middleware to run before applying _optionsForExec() gh-13417', async function() {
+    const testSchema = new Schema({
+      a: Number,
+      b: Number,
+      c: Number
+    });
+    testSchema.pre('find', function() {
+      this.select('-c');
+    });
+    const Test = db.model('gh13417', testSchema);
+    await Test.create([{ a: 1, b: 1, c: 1 }, { a: 2, b: 2, c: 2 }]);
+    const cursorMiddleSelect = [];
+    let r;
+    const cursor = Test.find().select('-b').sort({ a: 1 }).cursor();
+    // eslint-disable-next-line no-cond-assign
+    while (r = await cursor.next()) {
+      cursorMiddleSelect.push(r);
+    }
+    assert.equal(typeof cursorMiddleSelect[0].b, 'undefined');
+    assert.equal(typeof cursorMiddleSelect[1].b, 'undefined');
+    assert.equal(typeof cursorMiddleSelect[0].c, 'undefined');
+    assert.equal(typeof cursorMiddleSelect[1].c, 'undefined');
+  });
 });
 
 async function delay(ms) {

test/schema.uuid.test.js

@@ -3,9 +3,8 @@
 const start = require('./common');
 const util = require('./util');
 
-const bson = require('bson');
-
 const assert = require('assert');
+const bson = require('bson');
 
 const mongoose = start.mongoose;
 const Schema = mongoose.Schema;
@@ -129,6 +128,27 @@ describe('SchemaUUID', function() {
     assert.equal(organization, undefined);
   });
 
+  it('works with populate (gh-13267)', async function() {
+    const userSchema = new mongoose.Schema({
+      _id: { type: 'UUID', default: () => uuidv4() },
+      name: String,
+      createdBy: {
+        type: 'UUID',
+        ref: 'User'
+      }
+    });
+    const User = db.model('User', userSchema);
+
+    const u1 = await User.create({ name: 'admin' });
+    const { _id } = await User.create({ name: 'created', createdBy: u1._id });
+
+    const pop = await User.findById(_id).populate('createdBy').orFail();
+    assert.equal(pop.createdBy.name, 'admin');
+    assert.equal(pop.createdBy._id.toString(), u1._id.toString());
+
+    await pop.save();
+  });
+
   // the following are TODOs based on SchemaUUID.prototype.$conditionalHandlers which are not tested yet
   it('should work with $bits* operators');
   it('should work with $all operator');