overleaf/server-ce/hotfix/3.5.10/mongoose_proto.patch

13 lines
375 B
Diff
Raw Permalink Normal View History

--- node_modules/mongoose/lib/document.js
+++ node_modules/mongoose/lib/document.js
@@ -689,6 +689,10 @@ function init(self, obj, doc, opts, prefix) {
function _init(index) {
i = keys[index];
+ // avoid prototype pollution
+ if (i === '__proto__' || i === 'constructor') {
+ return;
+ }
path = prefix + i;
schema = self.$__schema.path(path);