From fb8b644b7ffdd2799f23bb2d8dd1ba875ec8323a Mon Sep 17 00:00:00 2001
From: Valeri Karpov <val@karpov.io>
Date: Thu, 30 Aug 2018 12:36:01 -0400
Subject: [PATCH] fix(document): disallow setting constructor and prototype if
 strict mode false

---
 lib/document.js       | 4 +++-
 test/document.test.js | 6 +++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/lib/document.js b/lib/document.js
index 05ade1ac54..fe514a93be 100644
--- a/lib/document.js
+++ b/lib/document.js
@@ -31,6 +31,8 @@ var flatten = require('./services/common').flatten;
 var mpath = require('mpath');
 var idGetter = require('./plugins/idGetter');
 
+var specialProperties = ['__proto__', 'constructor', 'prototype'];
+
 /**
  * Document constructor.
  *
@@ -917,7 +919,7 @@ Document.prototype.$__set = function(pathToMark, path, constructing, parts, sche
     var next = i + 1;
     var last = next === l;
     cur += (cur ? '.' + parts[i] : parts[i]);
-    if (parts[i] === '__proto__') {
+    if (specialProperties.indexOf(parts[i]) !== -1) {
       return;
     }
 
diff --git a/test/document.test.js b/test/document.test.js
index 1d5f132dd0..a36ae60e55 100644
--- a/test/document.test.js
+++ b/test/document.test.js
@@ -4964,7 +4964,7 @@ describe('document', function() {
       done();
     });
 
-    it('Disallows writing to __proto__', function(done) {
+    it('Disallows writing to __proto__ and other special properties', function(done) {
       var schema = new mongoose.Schema({
         name: String
       }, { strict: false });
@@ -4977,6 +4977,10 @@ describe('document', function() {
 
       assert.strictEqual(Model.y, void 0);
 
+      doc.set('constructor.prototype.z', 'baz');
+
+      assert.strictEqual(Model.z, void 0);
+
       done();
     });