overleaf/server-ce/hotfix/4.0.5/mongoose_proto.patch

--- services/web/node_modules/mongoose/lib/document.js
+++ services/web/node_modules/mongoose/lib/document.js
@@ -739,6 +739,10 @@ function init(self, obj, doc, opts, prefix) {

   function _init(index) {
     i = keys[index];
+    // avoid prototype pollution
+    if (i === '__proto__' || i === 'constructor') {
+      return;
+    }
     path = prefix + i;
     schemaType = docSchema.path(path);
[CE/SP] Hotfixes 3.5.10 / 4.0.5 (#13961) * [CE/SP] Hotfixes 3.5.10 / 4.0.5 * [CE/SP] include PR13122 in 4.0.5 hotfixes --------- Co-authored-by: Jakob Ackermann <jakob.ackermann@overleaf.com> GitOrigin-RevId: 68d31f4a4573d2cad1ee564a62957ad2c858cbe7 2023-07-20 06:24:55 -04:00			`--- services/web/node_modules/mongoose/lib/document.js`
			`+++ services/web/node_modules/mongoose/lib/document.js`
			`@@ -739,6 +739,10 @@ function init(self, obj, doc, opts, prefix) {`

			`function _init(index) {`
			`i = keys[index];`
			`+ // avoid prototype pollution`
			`+ if (i === '__proto__' \|\| i === 'constructor') {`
			`+ return;`
			`+ }`
			`path = prefix + i;`
			`schemaType = docSchema.path(path);`