Merge pull request Automattic#14985 from Automattic/vkarpov15/Automatticgh-14657

vkarpov15 · web-flow · commit 663f21e1fce1 · 2024-10-28T09:49:47.000-04:00
fix(query): make sanitizeFilter disable implicit $in
diff --git a/lib/cast.js b/lib/cast.js
@@ -28,6 +28,7 @@ const ALLOWED_GEOWITHIN_GEOJSON_TYPES = ['Polygon', 'MultiPolygon'];
  * @param {Object} [options] the query options
  * @param {Boolean|"throw"} [options.strict] Wheter to enable all strict options
  * @param {Boolean|"throw"} [options.strictQuery] Enable strict Queries
+ * @param {Boolean} [options.sanitizeFilter] avoid adding implict query selectors ($in)
  * @param {Boolean} [options.upsert]
  * @param {Query} [context] passed to setters
  * @api private
@@ -372,7 +373,7 @@ module.exports = function cast(schema, obj, options, context) {
 
           }
         }
-      } else if (Array.isArray(val) && ['Buffer', 'Array'].indexOf(schematype.instance) === -1) {
+      } else if (Array.isArray(val) && ['Buffer', 'Array'].indexOf(schematype.instance) === -1 && !options.sanitizeFilter) {
         const casted = [];
         const valuesArray = val;
 
diff --git a/lib/query.js b/lib/query.js
@@ -4900,6 +4900,9 @@ Query.prototype.cast = function(model, obj) {
       opts.strictQuery = this.options.strictQuery;
     }
   }
+  if ('sanitizeFilter' in this._mongooseOptions) {
+    opts.sanitizeFilter = this._mongooseOptions.sanitizeFilter;
+  }
 
   try {
     return cast(model.schema, obj, opts, this);
diff --git a/test/query.test.js b/test/query.test.js
@@ -3520,6 +3520,21 @@ describe('Query', function() {
     assert.ifError(q.error());
     assert.deepEqual(q._conditions, { username: 'val', pwd: { $gt: null } });
   });
+
+  it('sanitizeFilter disables implicit $in (gh-14657)', function() {
+    const schema = new mongoose.Schema({
+      name: {
+        type: String
+      }
+    });
+    const Test = db.model('Test', schema);
+
+    const q = Test.find({ name: ['foobar'] }).setOptions({ sanitizeFilter: true });
+    q._castConditions();
+    assert.ok(q.error());
+    assert.equal(q.error().name, 'CastError');
+  });
+
   it('should not error when $not is used with $size (gh-10716)', async function() {
     const barSchema = Schema({
       bar: String

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ const ALLOWED_GEOWITHIN_GEOJSON_TYPES = ['Polygon', 'MultiPolygon'];`
`28`	`28`	`* @param {Object} [options] the query options`
`29`	`29`	`* @param {Boolean\|"throw"} [options.strict] Wheter to enable all strict options`
`30`	`30`	`* @param {Boolean\|"throw"} [options.strictQuery] Enable strict Queries`
	`31`	`+ * @param {Boolean} [options.sanitizeFilter] avoid adding implict query selectors ($in)`
`31`	`32`	`* @param {Boolean} [options.upsert]`
`32`	`33`	`* @param {Query} [context] passed to setters`
`33`	`34`	`* @api private`
`@@ -372,7 +373,7 @@ module.exports = function cast(schema, obj, options, context) {`
`372`	`373`
`373`	`374`	`}`
`374`	`375`	`}`
`375`		`- } else if (Array.isArray(val) && ['Buffer', 'Array'].indexOf(schematype.instance) === -1) {`
	`376`	`+ } else if (Array.isArray(val) && ['Buffer', 'Array'].indexOf(schematype.instance) === -1 && !options.sanitizeFilter) {`
`376`	`377`	`const casted = [];`
`377`	`378`	`const valuesArray = val;`
`378`	`379`
Original file line number	Diff line number	Diff line change
`@@ -4900,6 +4900,9 @@ Query.prototype.cast = function(model, obj) {`
`4900`	`4900`	`opts.strictQuery = this.options.strictQuery;`
`4901`	`4901`	`}`
`4902`	`4902`	`}`
	`4903`	`+ if ('sanitizeFilter' in this._mongooseOptions) {`
	`4904`	`+ opts.sanitizeFilter = this._mongooseOptions.sanitizeFilter;`
	`4905`	`+ }`
`4903`	`4906`
`4904`	`4907`	`try {`
`4905`	`4908`	`return cast(model.schema, obj, opts, this);`