Skip to content

Commit

Permalink
fix: avoid prototype pollution on init
Browse files Browse the repository at this point in the history
  • Loading branch information
vkarpov15 committed Jul 9, 2023
1 parent b336ed8 commit e29578d
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 0 deletions.
4 changes: 4 additions & 0 deletions lib/document.js
Original file line number Diff line number Diff line change
Expand Up @@ -741,6 +741,10 @@ function init(self, obj, doc, opts, prefix) {

function _init(index) {
i = keys[index];
// avoid prototype pollution
if (i === '__proto__' || i === 'constructor') {
return;
}
path = prefix + i;
schemaType = docSchema.path(path);

Expand Down
18 changes: 18 additions & 0 deletions test/document.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -12212,6 +12212,24 @@ describe('document', function() {
const fromDb = await Test.findById(x._id).lean();
assert.equal(fromDb.c.x.y, 1);
});

it('avoids prototype pollution on init', async function() {
const Example = db.model('Example', new Schema({ hello: String }));

const example = await new Example({ hello: 'world!' }).save();
await Example.findByIdAndUpdate(example._id, {
$rename: {
hello: '__proto__.polluted'
}
});

// this is what causes the pollution
await Example.find();

const test = {};
assert.strictEqual(test.polluted, undefined);
assert.strictEqual(Object.prototype.polluted, undefined);
});
});

describe('Check if instance function that is supplied in schema option is availabe', function() {
Expand Down

0 comments on commit e29578d

Please sign in to comment.