fix: avoid prototype pollution on init

vkarpov15 · vkarpov15 · commit f1efabf35052 · 2023-07-12T14:08:29.000-04:00
diff --git a/lib/document.js b/lib/document.js
@@ -689,6 +689,10 @@ function init(self, obj, doc, opts, prefix) {
 
   function _init(index) {
     i = keys[index];
+    // avoid prototype pollution
+    if (i === '__proto__' || i === 'constructor') {
+      return;
+    }
     path = prefix + i;
     schema = self.$__schema.path(path);
 
diff --git a/test/document.test.js b/test/document.test.js
@@ -10528,4 +10528,24 @@ describe('document', function() {
       assert.ok(!band.embeddedMembers[0].member.name);
     });
   });
+
+  it('avoids prototype pollution on init', function() {
+    const Example = db.model('Example', new Schema({ hello: String }));
+
+    return co(function*() {
+      const example = yield new Example({ hello: 'world!' }).save();
+      yield Example.findByIdAndUpdate(example._id, {
+        $rename: {
+          hello: '__proto__.polluted'
+        }
+      });
+
+      // this is what causes the pollution
+      yield Example.find();
+
+      const test = {};
+      assert.strictEqual(test.polluted, undefined);
+      assert.strictEqual(Object.prototype.polluted, undefined);
+    });
+  });
 });
