fix: prevent prototype pollutions

meteorrn · Feb 16, 2024 · 1d40aa6 · 1d40aa6
1 parent de526c1
commit 1d40aa6
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 9 deletions.
diff --git a/src/Collection.js b/src/Collection.js
@@ -9,12 +9,12 @@ import { hasOwn, isPlainObject } from '../lib/utils.js';
  * @private
  * @type {object}
  */
-const observers = {};
+const observers = Object.create(null);
 /**
  * @private
  * @type {object}
  */
-const observersByComp = {};
+const observersByComp = Object.create(null);
 /**
  * Get the list of callbacks for changes on a collection
  * @param {string} type - Type of change happening.
@@ -45,7 +45,7 @@ export function getObservers(type, collection, newDocument) {
     });
   }
   // Find the observers related to the specific query
-  if (observersByComp[collection]) {
+  if (observersByComp[collection] && !(collection in {})) {
     let keys = Object.keys(observersByComp[collection]);
     for (let i = 0; i < keys.length; i++) {
       observersByComp[collection][keys[i]].callbacks.forEach(
@@ -243,14 +243,16 @@ export class Collection {
     // collection is changed it needs to be re-run
     if (Tracker.active && Tracker.currentComputation) {
       let id = Tracker.currentComputation._id;
-      observersByComp[this._name] = observersByComp[this._name] || {};
+      observersByComp[this._name] =
+        observersByComp[this._name] || Object.create(null);
       if (!observersByComp[this._name][id]) {
         let item = {
           computation: Tracker.currentComputation,
           callbacks: [],
         };
         observersByComp[this._name][id] = item;
       }
+
       let item = observersByComp[this._name][id];
 
       item.callbacks.push({

diff --git a/test/src/Collection.tests.js b/test/src/Collection.tests.js
@@ -210,6 +210,20 @@ describe('Collection', function () {
         done();
       });
     });
+    it('triggers a reactive observer', (done) => {
+      const collectionName = Random.id(6);
+      const c = new Mongo.Collection(collectionName);
+
+      Tracker.autorun((comp) => {
+        const doc = c.findOne({ foo: 1 });
+        if (doc) {
+          comp.stop();
+          done();
+        }
+      });
+
+      setTimeout(() => c.insert({ foo: 1 }), 50);
+    });
     it('does not imply prototype pollution', (done) => {
       const collectionName = Random.id(6);
       const c = new Mongo.Collection(collectionName);
@@ -221,15 +235,29 @@ describe('Collection', function () {
       });
 
       Tracker.autorun((comp) => {
-        const docs = c.find(insertDoc).fetch();
-        expect(props({})).to.deep.equal(objectProps);
-        if (docs.length > 0) {
+        if (c.find().count() < 1) {
+          return;
+        }
+
+        c._name = '__proto__';
+        try {
+          c.find(insertDoc);
+        } catch {}
+        try {
+          expect(props({})).to.deep.equal(objectProps);
+        } catch (e) {
           comp.stop();
-          done();
+          return done(e);
         }
+
+        comp.stop();
+        done();
       });
 
-      setTimeout(() => c.insert(insertDoc), 50);
+      setTimeout(() => {
+        c._name = collectionName;
+        c.insert(insertDoc);
+      }, 50);
     });
   });