Merge pull request #10053 from 418sec/1-npm-mongoose

vkarpov15 · web-flow · commit 91f003a16f30 · 2021-03-22T11:10:48.000-04:00
Security Fix for Prototype Pollution - huntr.dev
diff --git a/lib/schema.js b/lib/schema.js
@@ -466,6 +466,11 @@ Schema.prototype.add = function add(obj, prefix) {
   }
 
   prefix = prefix || '';
+  // avoid prototype pollution
+  if (prefix === '__proto__.' || prefix === 'constructor.' || prefix === 'prototype.') {
+        return this;
+  }
+
   const keys = Object.keys(obj);
 
   for (const key of keys) {
