diff --git a/lib/document.js b/lib/document.js index 65007d9a25e..05ade1ac540 100644 --- a/lib/document.js +++ b/lib/document.js @@ -917,6 +917,9 @@ Document.prototype.$__set = function(pathToMark, path, constructing, parts, sche var next = i + 1; var last = next === l; cur += (cur ? '.' + parts[i] : parts[i]); + if (parts[i] === '__proto__') { + return; + } if (last) { obj[parts[i]] = val; diff --git a/package-lock.json b/package-lock.json index 36fb84996c6..6a4f91c9ba9 100644 --- a/package-lock.json +++ b/package-lock.json @@ -2126,9 +2126,9 @@ "dev": true }, "mpath": { - "version": "0.3.0", - "resolved": "https://registry.npmjs.org/mpath/-/mpath-0.3.0.tgz", - "integrity": "sha1-elj3iem1/TyUUgY0FXlg8mvV70Q=" + "version": "0.5.0", + "resolved": "https://registry.npmjs.org/mpath/-/mpath-0.5.0.tgz", + "integrity": "sha512-GJvQ1Iokij45SH/uJB03RkJ3HD5zJFhqzYFtUKkz+h9ZNxK18svUTef0/hIJbIPUfNln+tGdTZQ+KMazKvqIEA==" }, "mpromise": { "version": "0.5.5", diff --git a/package.json b/package.json index c4992d98b87..404e668c9ad 100644 --- a/package.json +++ b/package.json @@ -25,7 +25,7 @@ "kareem": "1.5.0", "lodash.get": "4.4.2", "mongodb": "2.2.34", - "mpath": "0.3.0", + "mpath": "0.5.0", "mpromise": "0.5.5", "mquery": "2.3.3", "ms": "2.0.0", diff --git a/test/document.test.js b/test/document.test.js index 1c053e72744..4820e5091f3 100644 --- a/test/document.test.js +++ b/test/document.test.js @@ -4964,6 +4964,22 @@ describe('document', function() { done(); }); + it('Disallows writing to __proto__', function(done) { + const schema = new mongoose.Schema({ + name: String + }, { strict: false }); + + const Model = db.model('prototest', schema); + const doc = new Model({ '__proto__.x': 'foo' }); + + assert.strictEqual(Model.x, void 0); + doc.set('__proto__.y', 'bar'); + + assert.strictEqual(Model.y, void 0); + + done(); + }); + it('Single nested subdocs using discriminator can be modified (gh-5693)', function(done) { var eventSchema = new Schema({ message: String }, { discriminatorKey: 'kind',