fix(document): disallow setting __proto__ if strict mode false

Automattic · Aug 30, 2018 · a3b98f6 · a3b98f6
1 parent a738273
commit a3b98f6
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 4 deletions.
diff --git a/lib/document.js b/lib/document.js
@@ -917,6 +917,9 @@ Document.prototype.$__set = function(pathToMark, path, constructing, parts, sche
     var next = i + 1;
     var last = next === l;
     cur += (cur ? '.' + parts[i] : parts[i]);
+    if (parts[i] === '__proto__') {
+      return;
+    }
 
     if (last) {
       obj[parts[i]] = val;

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -25,7 +25,7 @@
     "kareem": "1.5.0",
     "lodash.get": "4.4.2",
     "mongodb": "2.2.34",
-    "mpath": "0.3.0",
+    "mpath": "0.5.0",
     "mpromise": "0.5.5",
     "mquery": "2.3.3",
     "ms": "2.0.0",

diff --git a/test/document.test.js b/test/document.test.js
@@ -4964,6 +4964,22 @@ describe('document', function() {
       done();
     });
 
+    it('Disallows writing to __proto__', function(done) {
+      const schema = new mongoose.Schema({
+        name: String
+      }, { strict: false });
+
+      const Model = db.model('prototest', schema);
+      const doc = new Model({ '__proto__.x': 'foo' });
+
+      assert.strictEqual(Model.x, void 0);
+      doc.set('__proto__.y', 'bar');
+
+      assert.strictEqual(Model.y, void 0);
+
+      done();
+    });
+
     it('Single nested subdocs using discriminator can be modified (gh-5693)', function(done) {
       var eventSchema = new Schema({ message: String }, {
         discriminatorKey: 'kind',