fix(document): handle __proto__ in queries

Re: #7290 Re: https://medium.com/intrinsic/javascript-prototype-poisoning-vulnerabilities-in-the-wild-7bc15347c96
Automattic · Dec 10, 2018 · 22ad62a · 22ad62a
1 parent 266b546
commit 22ad62a
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/lib/document.js b/lib/document.js
@@ -38,7 +38,7 @@ let DocumentArray;
 let MongooseArray;
 let Embedded;
 
-const specialProperties = ['__proto__', 'constructor', 'prototype'];
+const specialProperties = utils.specialProperties;
 
 /**
  * The core Mongoose document constructor. You should not call this directly,
@@ -1170,7 +1170,7 @@ Document.prototype.$__set = function(pathToMark, path, constructing, parts, sche
     const next = i + 1;
     const last = next === l;
     cur += (cur ? '.' + parts[i] : parts[i]);
-    if (specialProperties.indexOf(parts[i]) !== -1) {
+    if (specialProperties.has(parts[i])) {
       return;
     }
 

diff --git a/lib/utils.js b/lib/utils.js
@@ -18,6 +18,10 @@ let MongooseBuffer;
 let MongooseArray;
 let Document;
 
+const specialProperties = new Set(['__proto__', 'constructor', 'prototype']);
+
+exports.specialProperties = specialProperties;
+
 /*!
  * Produces a collection name from model `name`. By default, just returns
  * the model name
@@ -267,6 +271,10 @@ function cloneObject(obj, options) {
   let k;
 
   for (k in obj) {
+    if (specialProperties.has(k)) {
+      continue;
+    }
+
     val = clone(obj[k], options);
 
     if (!minimize || (typeof val !== 'undefined')) {
@@ -349,6 +357,9 @@ exports.merge = function merge(to, from, options, path) {
     if (omitNested[path]) {
       continue;
     }
+    if (specialProperties.has(key)) {
+      continue;
+    }
     if (to[key] == null) {
       to[key] = from[key];
     } else if (exports.isObject(from[key])) {
@@ -401,6 +412,9 @@ exports.toObject = function toObject(obj) {
     ret = {};
 
     for (const k in obj) {
+      if (specialProperties.has(k)) {
+        continue;
+      }
       ret[k] = toObject(obj[k]);
     }
 
@@ -822,8 +836,15 @@ exports.getFunctionName = function(fn) {
   return (fn.toString().trim().match(/^function\s*([^\s(]+)/) || [])[1];
 };
 
+/*!
+ * Decorate buffers
+ */
+
 exports.decorate = function(destination, source) {
   for (const key in source) {
+    if (specialProperties.has(key)) {
+      continue;
+    }
     destination[key] = source[key];
   }
 };
@@ -853,6 +874,9 @@ exports.mergeClone = function(to, fromObj) {
 
   while (i < len) {
     key = keys[i++];
+    if (specialProperties.has(key)) {
+      continue;
+    }
     if (typeof to[key] === 'undefined') {
       to[key] = exports.clone(fromObj[key], {
         transform: false,