Merge branch '6.x' into vkarpov15/gh-13191-2

Author: vkarpov15

.github/workflows/test.yml

@@ -96,7 +96,7 @@ jobs:
       - name: Setup Deno
         uses: denoland/setup-deno@v1
         with:
-          deno-version: v1.33.x
+          deno-version: v1.34.x
       - run: deno --version
       - run: npm install
       - name: Run Deno tests

CHANGELOG.md

@@ -1,3 +1,12 @@
+6.11.3 / 2023-07-11
+===================
+ * fix: avoid prototype pollution on init
+ * fix(schema): correctly handle uuids with populate() #13317 #13595
+
+6.11.2 / 2023-06-08
+===================
+ * fix(cursor): allow find middleware to modify query cursor options #13476 #13453 #13435
+
 6.11.1 / 2023-05-08
 ===================
  * fix(query): apply schema-level paths before calculating projection for findOneAndUpdate() #13348 #13340

docs/layout.pug

@@ -143,7 +143,7 @@ html(lang='en')
               li.pure-menu-item.sub-item
                 a.pure-menu-link(href=`${versions.versionedPath}/docs/api/virtualtype.html`, class=outputUrl === `${versions.versionedPath}/docs/api/virtualtype.html` ? 'selected' : '') VirtualType
               li.pure-menu-item
-                a.pure-menu-link(href=`${versions.versionedPath}/docs/migrating_to_7.html`, class=outputUrl === `${versions.versionedPath}/docs/migrating_to_7.html` ? 'selected' : '') Migration Guide
+                a.pure-menu-link(href=`${versions.versionedPath}/docs/migrating_to_6.html`, class=outputUrl === `${versions.versionedPath}/docs/migrating_to_7.html` ? 'selected' : '') Migration Guide
               li.pure-menu-item
                 a.pure-menu-link(href=`${versions.versionedPath}/docs/compatibility.html`, class=outputUrl === `${versions.versionedPath}/docs/compatibility.html` ? 'selected' : '') Version Compatibility
               li.pure-menu-item

lib/cursor/QueryCursor.js

@@ -66,6 +66,7 @@ function QueryCursor(query, options) {
       // Max out the number of documents we'll populate in parallel at 5000.
       this.options._populateBatchSize = Math.min(this.options.batchSize, 5000);
     }
+    Object.assign(this.options, query._optionsForExec());
     model.collection.find(query._conditions, this.options, (err, cursor) => {
       if (err != null) {
         _this._markError(err);

lib/document.js

@@ -740,6 +740,10 @@ function init(self, obj, doc, opts, prefix) {
 
   function _init(index) {
     i = keys[index];
+    // avoid prototype pollution
+    if (i === '__proto__' || i === 'constructor') {
+      return;
+    }
     path = prefix + i;
     schemaType = docSchema.path(path);
 

lib/schema/uuid.js

@@ -8,7 +8,6 @@ const MongooseBuffer = require('../types/buffer');
 const SchemaType = require('../schematype');
 const CastError = SchemaType.CastError;
 const utils = require('../utils');
-const isBsonType = require('../helpers/isBsonType');
 const handleBitwiseOperator = require('./operators/bitwise');
 
 const UUID_FORMAT = /[0-9a-f]{8}-[0-9a-f]{4}-[0-9][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}/i;
@@ -86,7 +85,13 @@ function binaryToString(uuidBin) {
 
 function SchemaUUID(key, options) {
   SchemaType.call(this, key, options, 'UUID');
-  this.getters.push(binaryToString);
+  this.getters.push(function(value) {
+    // For populated
+    if (value != null && value.$__ != null) {
+      return value;
+    }
+    return binaryToString(value);
+  });
 }
 
 /**
@@ -110,7 +115,7 @@ SchemaUUID.prototype.constructor = SchemaUUID;
  */
 
 SchemaUUID._cast = function(value) {
-  if (value === null) {
+  if (value == null) {
     return value;
   }
 
@@ -247,11 +252,8 @@ SchemaUUID.prototype.checkRequired = function checkRequired(value) {
  */
 
 SchemaUUID.prototype.cast = function(value, doc, init) {
-  if (SchemaType._isRef(this, value, doc, init)) {
-    if (isBsonType(value, 'UUID')) {
-      return value;
-    }
-
+  if (utils.isNonBuiltinObject(value) &&
+      SchemaType._isRef(this, value, doc, init)) {
     return this._castRef(value, doc, init);
   }
 

lib/schematype.js

@@ -1521,6 +1521,7 @@ SchemaType.prototype._castRef = function _castRef(value, doc, init) {
   const path = doc.$__fullPath(this.path, true);
   const owner = doc.ownerDocument();
   const pop = owner.$populated(path, true);
+
   let ret = value;
   if (!doc.$__.populated ||
     !doc.$__.populated[path] ||

lib/utils.js

@@ -4,6 +4,7 @@
  * Module dependencies.
  */
 
+const UUID = require('bson').UUID;
 const ms = require('ms');
 const mpath = require('mpath');
 const ObjectId = require('./types/objectid');
@@ -406,6 +407,7 @@ exports.isNonBuiltinObject = function isNonBuiltinObject(val) {
   return typeof val === 'object' &&
     !exports.isNativeObject(val) &&
     !exports.isMongooseType(val) &&
+    !(val instanceof UUID) &&
     val != null;
 };
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "mongoose",
   "description": "Mongoose MongoDB ODM",
-  "version": "6.11.1",
+  "version": "6.11.3",
   "author": "Guillermo Rauch <[email protected]>",
   "keywords": [
     "mongodb",

test/collection.capped.test.js

@@ -46,6 +46,7 @@ describe('collections: capped:', function() {
     capped.set('capped', { size: 1000 });
     const Capped = db.model('Test', capped, 'Test');
     await Capped.init();
+    await Capped.createCollection();
     await new Promise((resolve) => setTimeout(resolve, 100));
 
     const isCapped = await Capped.collection.isCapped();