Merge pull request #1 from zpbrent/patch-2

Security Fix for Prototype Pollution in mongoose
Automattic · Mar 22, 2021 · 3ed44ff · 3ed44ff
2 parents fba3457 + 468ab22
commit 3ed44ff
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/lib/schema.js b/lib/schema.js
@@ -466,6 +466,11 @@ Schema.prototype.add = function add(obj, prefix) {
   }
 
   prefix = prefix || '';
+  // avoid prototype pollution
+  if (prefix === '__proto__.' || prefix === 'constructor.' || prefix === 'prototype.') {
+        return this;
+  }
+
   const keys = Object.keys(obj);
 
   for (const key of keys) {