Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix(schema): disallow setting __proto__ when creating schema with dot…
…ted properties

Fix #12085
  • Loading branch information
vkarpov15 committed Jul 19, 2022
1 parent bc302f4 commit a45cfb6
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 0 deletions.
7 changes: 7 additions & 0 deletions lib/schema.js
Expand Up @@ -554,6 +554,10 @@ Schema.prototype.add = function add(obj, prefix) {
const keys = Object.keys(obj);
const typeKey = this.options.typeKey;
for (const key of keys) {
if (utils.specialProperties.has(key)) {
continue;
}

const fullPath = prefix + key;
const val = obj[key];

Expand Down Expand Up @@ -854,6 +858,9 @@ Schema.prototype.path = function(path, obj) {
let fullPath = '';

for (const sub of subpaths) {
if (utils.specialProperties.has(sub)) {
throw new Error('Cannot set special property `' + sub + '` on a schema');
}
fullPath = fullPath += (fullPath.length > 0 ? '.' : '') + sub;
if (!branch[sub]) {
this.nested[fullPath] = true;
Expand Down
10 changes: 10 additions & 0 deletions test/schema.test.js
Expand Up @@ -2792,4 +2792,14 @@ describe('schema', function() {
});
}, /Cannot use schema-level projections.*subdocument_mapping.not_selected/);
});

it('disallows setting special properties with `add()` or constructor (gh-12085)', async function() {
const maliciousPayload = '{"__proto__.toString": "Number"}';

assert.throws(() => {
mongoose.Schema(JSON.parse(maliciousPayload));
}, /__proto__/);

assert.ok({}.toString());
});
});

0 comments on commit a45cfb6

Please sign in to comment.