diff --git a/.gitignore b/.gitignore
index 7164da4c246..70b24471080 100644
--- a/.gitignore
+++ b/.gitignore
@@ -41,7 +41,7 @@ test/files/main.js
package-lock.json
-.config*
+.config.js
# Compiled docs
docs/*.html
@@ -50,6 +50,9 @@ docs/typescript/*.html
docs/api/*.html
index.html
+# Local Netlify folder
+.netlify
+
# yarn package-lock
yarn.lock
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 74093f5ef3f..31bb554a7d5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,10 @@
+6.4.6 / 2022-07-20
+==================
+ * fix(schema): disallow setting __proto__ when creating schema with dotted properties #12085
+ * fix(document): avoid mutating original object passed to $set() when applying defaults to nested properties #12102
+ * fix(query): apply lean transform option to top-level document #12093
+ * docs(migrating_to_6): correct example for `isObjectIdOrHexString()` #12123 [LokeshKanumoori](https://github.com/LokeshKanumoori)
+
6.4.5 / 2022-07-18
==================
* fix(model+timestamps): set timestamps on subdocuments in insertMany() #12060
diff --git a/docs/migrating_to_6.md b/docs/migrating_to_6.md
index 270624e3368..68e4a8249e0 100644
--- a/docs/migrating_to_6.md
+++ b/docs/migrating_to_6.md
@@ -194,8 +194,8 @@ mongoose.isValidObjectId(new User({ name: 'test' })); // true
// character hex strings.
mongoose.isObjectIdOrHexString(new mongoose.Types.ObjectId()); // true
mongoose.isObjectIdOrHexString('62261a65d66c6be0a63c051f'); // true
-mongoose.isValidObjectId('0123456789ab'); // false
-mongoose.isValidObjectId(6); // false
+mongoose.isObjectIdOrHexString('0123456789ab'); // false
+mongoose.isObjectIdOrHexString(6); // false
```
diff --git a/lib/document.js b/lib/document.js
index 72c12c75442..e6f73aeb774 100644
--- a/lib/document.js
+++ b/lib/document.js
@@ -1149,8 +1149,8 @@ Document.prototype.$set = function $set(path, val, type, options) {
}
if (utils.isNonBuiltinObject(valForKey) && pathtype === 'nested') {
- $applyDefaultsToNested(path[key], prefix + key, this);
this.$set(prefix + key, path[key], constructing, Object.assign({}, options, { _skipMarkModified: true }));
+ $applyDefaultsToNested(this.$get(prefix + key), prefix + key, this);
continue;
} else if (strict) {
// Don't overwrite defaults with undefined keys (gh-3981) (gh-9039)
diff --git a/lib/query.js b/lib/query.js
index 1bfed85a27e..634616fe79a 100644
--- a/lib/query.js
+++ b/lib/query.js
@@ -4019,7 +4019,9 @@ Query.prototype._findAndModify = function(type, callback) {
*/
function _completeOneLean(schema, doc, path, res, opts, callback) {
- if (opts.lean && opts.lean.transform) {
+ if (opts.lean && typeof opts.lean.transform === 'function') {
+ opts.lean.transform(doc);
+
for (let i = 0; i < schema.childSchemas.length; i++) {
const childPath = path ? path + '.' + schema.childSchemas[i].model.path : schema.childSchemas[i].model.path;
const _schema = schema.childSchemas[i].schema;
@@ -4053,7 +4055,11 @@ function _completeOneLean(schema, doc, path, res, opts, callback) {
*/
function _completeManyLean(schema, docs, path, opts, callback) {
- if (opts.lean && opts.lean.transform) {
+ if (opts.lean && typeof opts.lean.transform === 'function') {
+ for (const doc of docs) {
+ opts.lean.transform(doc);
+ }
+
for (let i = 0; i < schema.childSchemas.length; i++) {
const childPath = path ? path + '.' + schema.childSchemas[i].model.path : schema.childSchemas[i].model.path;
const _schema = schema.childSchemas[i].schema;
diff --git a/lib/schema.js b/lib/schema.js
index 781ccdbbcf8..730bddeac49 100644
--- a/lib/schema.js
+++ b/lib/schema.js
@@ -554,6 +554,10 @@ Schema.prototype.add = function add(obj, prefix) {
const keys = Object.keys(obj);
const typeKey = this.options.typeKey;
for (const key of keys) {
+ if (utils.specialProperties.has(key)) {
+ continue;
+ }
+
const fullPath = prefix + key;
const val = obj[key];
@@ -854,6 +858,9 @@ Schema.prototype.path = function(path, obj) {
let fullPath = '';
for (const sub of subpaths) {
+ if (utils.specialProperties.has(sub)) {
+ throw new Error('Cannot set special property `' + sub + '` on a schema');
+ }
fullPath = fullPath += (fullPath.length > 0 ? '.' : '') + sub;
if (!branch[sub]) {
this.nested[fullPath] = true;
diff --git a/package.json b/package.json
index bfb28d8cf16..4bf90f236f9 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
{
"name": "mongoose",
"description": "Mongoose MongoDB ODM",
- "version": "6.4.5",
+ "version": "6.4.6",
"author": "Guillermo Rauch ",
"keywords": [
"mongodb",
diff --git a/test/document.test.js b/test/document.test.js
index 160b14fbe3d..359a0ee050d 100644
--- a/test/document.test.js
+++ b/test/document.test.js
@@ -8831,7 +8831,7 @@ describe('document', function() {
assert.ok(!user.updatedAt);
});
- it('Sets default when passing undefined as value for a key in a nested subdoc (gh-9039)', async function() {
+ it('Sets default when passing undefined as value for a key in a nested subdoc (gh-12102) (gh-9039)', async function() {
const Test = db.model('Test', {
nested: {
prop: {
@@ -8841,9 +8841,11 @@ describe('document', function() {
}
});
-
- const doc = await Test.create({ nested: { prop: undefined } });
+ const obj = { nested: { prop: undefined } };
+ const doc = await Test.create(obj);
assert.equal(doc.nested.prop, 'some default value');
+
+ assert.deepStrictEqual(obj, { nested: { prop: undefined } });
});
it('allows accessing $locals when initializing (gh-9098)', function() {
diff --git a/test/query.test.js b/test/query.test.js
index 746774c5c42..1ebc5320aa4 100644
--- a/test/query.test.js
+++ b/test/query.test.js
@@ -4006,22 +4006,28 @@ describe('Query', function() {
});
const Test = db.model('gh10423', testSchema);
await Test.create({ name: 'foo', foo: [{ sub: 'Test' }, { sub: 'Testerson' }], otherName: { nickName: 'Bar' } });
- const result = await Test.find().lean({ transform: (doc) => {
- delete doc._id;
- return doc;
- } });
- assert(result[0]._id);
- assert.equal(result[0].otherName._id, undefined);
- assert.equal(result[0].foo[0]._id, undefined);
- assert.equal(result[0].foo[1]._id, undefined);
- const single = await Test.findOne().lean({ transform: (doc) => {
- delete doc._id;
- return doc;
- } });
- assert(single._id);
- assert.equal(single.otherName._id, undefined);
- assert.equal(single.foo[0]._id, undefined);
- assert.equal(single.foo[0]._id, undefined);
+
+ const result = await Test.find().lean({
+ transform: (doc) => {
+ delete doc._id;
+ return doc;
+ }
+ });
+ assert.strictEqual(result[0]._id, undefined);
+ assert.strictEqual(result[0].otherName._id, undefined);
+ assert.strictEqual(result[0].foo[0]._id, undefined);
+ assert.strictEqual(result[0].foo[1]._id, undefined);
+
+ const single = await Test.findOne().lean({
+ transform: (doc) => {
+ delete doc._id;
+ return doc;
+ }
+ });
+ assert.strictEqual(single._id, undefined);
+ assert.strictEqual(single.otherName._id, undefined);
+ assert.strictEqual(single.foo[0]._id, undefined);
+ assert.strictEqual(single.foo[0]._id, undefined);
});
it('skips applying default projections over slice projections (gh-11940)', async function() {
diff --git a/test/schema.test.js b/test/schema.test.js
index 7bc6299e23e..56c55fe8964 100644
--- a/test/schema.test.js
+++ b/test/schema.test.js
@@ -924,6 +924,19 @@ describe('schema', function() {
assert.equal(called, true);
});
+
+ it('options param (gh-12077)', function() {
+ const Tobi = new Schema();
+ let called = false;
+
+ Tobi.plugin(function(schema, opts) {
+ assert.equal(schema, Tobi);
+ assert.deepStrictEqual(opts, { answer: 42 });
+ called = true;
+ }, { answer: 42 });
+
+ assert.equal(called, true);
+ });
});
describe('options', function() {
@@ -2792,4 +2805,14 @@ describe('schema', function() {
});
}, /Cannot use schema-level projections.*subdocument_mapping.not_selected/);
});
+
+ it('disallows setting special properties with `add()` or constructor (gh-12085)', async function() {
+ const maliciousPayload = '{"__proto__.toString": "Number"}';
+
+ assert.throws(() => {
+ mongoose.Schema(JSON.parse(maliciousPayload));
+ }, /__proto__/);
+
+ assert.ok({}.toString());
+ });
});