File tree Expand file tree Collapse file tree 2 files changed +17
-0
lines changed Expand file tree Collapse file tree 2 files changed +17
-0
lines changed Original file line number Diff line number Diff line change @@ -554,6 +554,10 @@ Schema.prototype.add = function add(obj, prefix) {
554554 const keys = Object . keys ( obj ) ;
555555 const typeKey = this . options . typeKey ;
556556 for ( const key of keys ) {
557+ if ( utils . specialProperties . has ( key ) ) {
558+ continue ;
559+ }
560+
557561 const fullPath = prefix + key ;
558562 const val = obj [ key ] ;
559563
@@ -854,6 +858,9 @@ Schema.prototype.path = function(path, obj) {
854858 let fullPath = '' ;
855859
856860 for ( const sub of subpaths ) {
861+ if ( utils . specialProperties . has ( sub ) ) {
862+ throw new Error ( 'Cannot set special property `' + sub + '` on a schema' ) ;
863+ }
857864 fullPath = fullPath += ( fullPath . length > 0 ? '.' : '' ) + sub ;
858865 if ( ! branch [ sub ] ) {
859866 this . nested [ fullPath ] = true ;
Original file line number Diff line number Diff line change @@ -2792,4 +2792,14 @@ describe('schema', function() {
27922792 } ) ;
27932793 } , / C a n n o t u s e s c h e m a - l e v e l p r o j e c t i o n s .* s u b d o c u m e n t _ m a p p i n g .n o t _ s e l e c t e d / ) ;
27942794 } ) ;
2795+
2796+ it ( 'disallows setting special properties with `add()` or constructor (gh-12085)' , async function ( ) {
2797+ const maliciousPayload = '{"__proto__.toString": "Number"}' ;
2798+
2799+ assert . throws ( ( ) => {
2800+ mongoose . Schema ( JSON . parse ( maliciousPayload ) ) ;
2801+ } , / _ _ p r o t o _ _ / ) ;
2802+
2803+ assert . ok ( { } . toString ( ) ) ;
2804+ } ) ;
27952805} ) ;
You can’t perform that action at this time.
0 commit comments