Merge branch 'vkarpov15/avoid-prototype-pollution'

Automattic · Jul 10, 2023 · 02699fa · 02699fa
2 parents 2188458 + cc722a1
commit 02699fa
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/lib/document.js b/lib/document.js
@@ -741,6 +741,10 @@ function init(self, obj, doc, opts, prefix) {
 
   function _init(index) {
     i = keys[index];
+    // avoid prototype pollution
+    if (i === '__proto__' || i === 'constructor') {
+      return;
+    }
     path = prefix + i;
     schemaType = docSchema.path(path);
 

diff --git a/test/document.test.js b/test/document.test.js
@@ -12233,6 +12233,36 @@ describe('document', function() {
     assert.deepStrictEqual(doc.elements[0].modifiedPaths(), []);
     assert.deepStrictEqual(doc.elements[1].modifiedPaths(), []);
   });
+
+  it('avoids prototype pollution on init', async function() {
+    const Example = db.model('Example', new Schema({ hello: String }));
+
+    const example = await new Example({ hello: 'world!' }).save();
+    await Example.findByIdAndUpdate(example._id, {
+      $rename: {
+        hello: '__proto__.polluted'
+      }
+    });
+
+    // this is what causes the pollution
+    await Example.find();
+
+    const test = {};
+    assert.strictEqual(test.polluted, undefined);
+    assert.strictEqual(Object.prototype.polluted, undefined);
+
+    const example2 = await new Example({ hello: 'world!' }).save();
+    await Example.findByIdAndUpdate(example2._id, {
+      $rename: {
+        hello: 'constructor.polluted'
+      }
+    });
+
+    await Example.find();
+    const test2 = {};
+    assert.strictEqual(test2.constructor.polluted, undefined);
+    assert.strictEqual(Object.polluted, undefined);
+  });
 });
 
 describe('Check if instance function that is supplied in schema option is availabe', function() {