Skip to content

Commit

Permalink
fix(schema): disallow setting __proto__ when creating schema with dot…
Browse files Browse the repository at this point in the history
…ted properties

Fix #12085
  • Loading branch information
vkarpov15 authored and shubanker committed Aug 19, 2022
1 parent a2ec28d commit 6a19731
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 0 deletions.
7 changes: 7 additions & 0 deletions lib/schema.js
Original file line number Diff line number Diff line change
Expand Up @@ -478,6 +478,10 @@ Schema.prototype.add = function add(obj, prefix) {
const keys = Object.keys(obj);

for (const key of keys) {
if (utils.specialProperties.has(key)) {
continue;
}

const fullPath = prefix + key;

if (obj[key] == null) {
Expand Down Expand Up @@ -663,6 +667,9 @@ Schema.prototype.path = function(path, obj) {
let fullPath = '';

for (const sub of subpaths) {
if (utils.specialProperties.has(sub)) {
throw new Error('Cannot set special property `' + sub + '` on a schema');
}
fullPath = fullPath += (fullPath.length > 0 ? '.' : '') + sub;
if (!branch[sub]) {
this.nested[fullPath] = true;
Expand Down
10 changes: 10 additions & 0 deletions test/schema.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -2682,4 +2682,14 @@ describe('schema', function() {
assert.equal(TestSchema.path('testprop.$*').instance, 'Number');
assert.equal(TestSchema.path('testprop.$*').options.ref, 'OtherModel');
});

it('disallows setting special properties with `add()` or constructor (gh-12085)', async function() {
const maliciousPayload = '{"__proto__.toString": "Number"}';

assert.throws(() => {
mongoose.Schema(JSON.parse(maliciousPayload));
}, /__proto__/);

assert.ok({}.toString());
});
});

0 comments on commit 6a19731

Please sign in to comment.