Permalink
Browse files

fix(document): disallow setting constructor and prototype if strict m…

…ode false
  • Loading branch information...
vkarpov15 committed Aug 30, 2018
1 parent b33d8c2 commit fb8b644b7ffdd2799f23bb2d8dd1ba875ec8323a
Showing with 8 additions and 2 deletions.
  1. +3 −1 lib/document.js
  2. +5 −1 test/document.test.js
@@ -31,6 +31,8 @@ var flatten = require('./services/common').flatten;
var mpath = require('mpath');
var idGetter = require('./plugins/idGetter');
var specialProperties = ['__proto__', 'constructor', 'prototype'];
/**
* Document constructor.
*
@@ -917,7 +919,7 @@ Document.prototype.$__set = function(pathToMark, path, constructing, parts, sche
var next = i + 1;
var last = next === l;
cur += (cur ? '.' + parts[i] : parts[i]);
if (parts[i] === '__proto__') {
if (specialProperties.indexOf(parts[i]) !== -1) {
return;
}
@@ -4964,7 +4964,7 @@ describe('document', function() {
done();
});
it('Disallows writing to __proto__', function(done) {
it('Disallows writing to __proto__ and other special properties', function(done) {
var schema = new mongoose.Schema({
name: String
}, { strict: false });
@@ -4977,6 +4977,10 @@ describe('document', function() {
assert.strictEqual(Model.y, void 0);
doc.set('constructor.prototype.z', 'baz');
assert.strictEqual(Model.z, void 0);
done();
});

0 comments on commit fb8b644

Please sign in to comment.