Security Fix for Prototype Pollution

Fix prototype pollution when path components are not strings
mongoosejs · ready-research · Aug 31, 2021 · Aug 31, 2021 · Aug 31, 2021 · 2ed8745f931b0a9d523beb61d5bb20cfd88a3b2b
commit 2ed8745f931b0a9d523beb61d5bb20cfd88a3b2b
diff --git a/lib/index.js b/lib/index.js
@@ -143,6 +143,9 @@ exports.unset = function(path, o) {
     if (cur == null || typeof cur !== 'object' || !(parts[i] in cur)) {
       return false;
     }
+    if (typeof parts[i] !== 'string' && typeof parts[i] !== 'number') {
+      parts[i] = String(parts[i]);
+    }
     // Disallow any updates to __proto__ or special properties.
     if (ignoreProperties.indexOf(parts[i]) !== -1) {
       return false;
@@ -193,6 +196,9 @@ exports.set = function(path, val, o, special, map, _copying) {
   if (null == o) return;
 
   for (var i = 0; i < parts.length; ++i) {
+    if (typeof parts[i] !== 'string' && typeof parts[i] !== 'number') {
+      parts[i] = String(parts[i]);
+    }
     // Silently ignore any updates to `__proto__`, these are potentially
     // dangerous if using mpath with unsanitized data.
     if (ignoreProperties.indexOf(parts[i]) !== -1) {
@@ -311,4 +317,4 @@ function _setArray(obj, val, part, lookup, special, map) {
 
 function K(v) {
   return v;
-}
+}