Skip to content

Commit a45cfb6

Browse files
committed
fix(schema): disallow setting __proto__ when creating schema with dotted properties
Fix #12085
1 parent bc302f4 commit a45cfb6

File tree

2 files changed

+17
-0
lines changed

2 files changed

+17
-0
lines changed

lib/schema.js

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -554,6 +554,10 @@ Schema.prototype.add = function add(obj, prefix) {
554554
const keys = Object.keys(obj);
555555
const typeKey = this.options.typeKey;
556556
for (const key of keys) {
557+
if (utils.specialProperties.has(key)) {
558+
continue;
559+
}
560+
557561
const fullPath = prefix + key;
558562
const val = obj[key];
559563

@@ -854,6 +858,9 @@ Schema.prototype.path = function(path, obj) {
854858
let fullPath = '';
855859

856860
for (const sub of subpaths) {
861+
if (utils.specialProperties.has(sub)) {
862+
throw new Error('Cannot set special property `' + sub + '` on a schema');
863+
}
857864
fullPath = fullPath += (fullPath.length > 0 ? '.' : '') + sub;
858865
if (!branch[sub]) {
859866
this.nested[fullPath] = true;

test/schema.test.js

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2792,4 +2792,14 @@ describe('schema', function() {
27922792
});
27932793
}, /Cannot use schema-level projections.*subdocument_mapping.not_selected/);
27942794
});
2795+
2796+
it('disallows setting special properties with `add()` or constructor (gh-12085)', async function() {
2797+
const maliciousPayload = '{"__proto__.toString": "Number"}';
2798+
2799+
assert.throws(() => {
2800+
mongoose.Schema(JSON.parse(maliciousPayload));
2801+
}, /__proto__/);
2802+
2803+
assert.ok({}.toString());
2804+
});
27952805
});

0 commit comments

Comments
 (0)