Skip to content

Commit

Permalink
Merge pull request #12297 from shubanker/issue/prototype-pollution-5.…
Browse files Browse the repository at this point in the history
…x-patch

CVE-2022-2564 vulnerability for version 5.x
  • Loading branch information
vkarpov15 authored Aug 21, 2022
2 parents a2ec28d + 5eb11dd commit 99b4189
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 0 deletions.
7 changes: 7 additions & 0 deletions lib/schema.js
Original file line number Diff line number Diff line change
Expand Up @@ -478,6 +478,10 @@ Schema.prototype.add = function add(obj, prefix) {
const keys = Object.keys(obj);

for (const key of keys) {
if (utils.specialProperties.has(key)) {
continue;
}

const fullPath = prefix + key;

if (obj[key] == null) {
Expand Down Expand Up @@ -663,6 +667,9 @@ Schema.prototype.path = function(path, obj) {
let fullPath = '';

for (const sub of subpaths) {
if (utils.specialProperties.has(sub)) {
throw new Error('Cannot set special property `' + sub + '` on a schema');
}
fullPath = fullPath += (fullPath.length > 0 ? '.' : '') + sub;
if (!branch[sub]) {
this.nested[fullPath] = true;
Expand Down
10 changes: 10 additions & 0 deletions test/schema.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -2682,4 +2682,14 @@ describe('schema', function() {
assert.equal(TestSchema.path('testprop.$*').instance, 'Number');
assert.equal(TestSchema.path('testprop.$*').options.ref, 'OtherModel');
});

it('disallows setting special properties with `add()` or constructor (gh-12085)', function() {
const maliciousPayload = '{"__proto__.toString": "Number"}';

assert.throws(() => {
mongoose.Schema(JSON.parse(maliciousPayload));
}, /__proto__/);

assert.ok({}.toString());
});
});

0 comments on commit 99b4189

Please # to comment.