-
-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Query results are replaced with values from select method #10142
Comments
I just realized this is happening on the MongoDB shell as well; this doesn't have anything to do with Mongoose. |
I reported this to MongoDB: https://jira.mongodb.org/browse/SERVER-56130 |
97f851 should fix this issue in Mongoose once we release v5.12.6. I'm in contact with MongoDB via email to figure out disclosure. |
This appears to be an issue that will not be fixed: https://jira.mongodb.org/browse/SERVER-57248?focusedCommentId=3844476&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-3844476 To summarize:
|
Follow #10243 for updates. We'll be adding features to help protect against projection injections. |
Do you want to request a feature or report a bug?
Report a bug.
What is the current behavior?
When using the select method with an object and
String
values the result is replaced with the values from the select statement.If the current behavior is a bug, please provide the steps to reproduce.
https://gist.github.com/jwerre/ef447dc1d60a48865c8574dff73d7a69
What is the expected behavior?
In MongoDB Version 4.2 the Gist above works fine, but if you switch to MongoDB 4.4 the query replaces the values with the select strings. In the Gist above you'll find the following behavior:
Result in MongoDB <=4.2:
Result in MongoDB 4.4:
What are the versions of Node.js, Mongoose and MongoDB you are using? Note that "latest" is not a version.
Node.js: v12.18.4
MongoDB: 4.4
Mongoose: 5.12.4
The text was updated successfully, but these errors were encountered: