fix(document): disallow setting constructor and prototype if strict m…

…ode false
Automattic · Aug 30, 2018 · fb8b644 · fb8b644
1 parent b33d8c2
commit fb8b644
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/lib/document.js b/lib/document.js
@@ -31,6 +31,8 @@ var flatten = require('./services/common').flatten;
 var mpath = require('mpath');
 var idGetter = require('./plugins/idGetter');
 
+var specialProperties = ['__proto__', 'constructor', 'prototype'];
+
 /**
  * Document constructor.
  *
@@ -917,7 +919,7 @@ Document.prototype.$__set = function(pathToMark, path, constructing, parts, sche
     var next = i + 1;
     var last = next === l;
     cur += (cur ? '.' + parts[i] : parts[i]);
-    if (parts[i] === '__proto__') {
+    if (specialProperties.indexOf(parts[i]) !== -1) {
       return;
     }
 

diff --git a/test/document.test.js b/test/document.test.js
@@ -4964,7 +4964,7 @@ describe('document', function() {
       done();
     });
 
-    it('Disallows writing to __proto__', function(done) {
+    it('Disallows writing to __proto__ and other special properties', function(done) {
       var schema = new mongoose.Schema({
         name: String
       }, { strict: false });
@@ -4977,6 +4977,10 @@ describe('document', function() {
 
       assert.strictEqual(Model.y, void 0);
 
+      doc.set('constructor.prototype.z', 'baz');
+
+      assert.strictEqual(Model.z, void 0);
+
       done();
     });