Details
Critical - P2 Description
Problem Description
When using the select statement with an object and String values the result is replaced with the values from the select statement. I tried it out in 4.0 and 4.2 and this is not an issue. This is only an issue in version 4.4.
Steps to Reproduce
(function(){ |
const products = [ 'apples', 'peaches', 'bananas', 'oranges', 'grapes', 'watermelons', ]; |
for (let product of products) { let item = { id: new Date().getTime(), name: product, qty: Math.round( Math.random() * (50 - 1) + 1 ) } db.products.save(item); } |
|
|
let results = db.products.find({}, {name:1, qty:'You have none!!', attack:'<scripts>alert("boo!")</scripts>'}); |
printjson(results.toArray());
|
db.products.drop();
|
})();
|
Expected Results
The expected results would be the actual values from the database not fake results from the select statement.
[
|
{
|
"_id": ObjectId("6078ad7cc3006933c653ede5"),
|
"name": "apples",
|
"qty": 44
|
},
|
{
|
"_id": ObjectId("6078ad7cc3006933c653ede6"),
|
"name": "peaches",
|
"qty": 47
|
},
|
{
|
"_id": ObjectId("6078ad7cc3006933c653ede7"),
|
"name": "bananas",
|
"qty": 14
|
},
|
{
|
"_id": ObjectId("6078ad7cc3006933c653ede8"),
|
"name": "oranges",
|
"qty": 14
|
},
|
{
|
"_id": ObjectId("6078ad7cc3006933c653ede9"),
|
"name": "grapes",
|
"qty": 16
|
},
|
{
|
"_id": ObjectId("6078ad7cc3006933c653edea"),
|
"name": "watermelons",
|
"qty": 45
|
}
|
]
|
|
|
|
Actual Results
I would expect quantity to be a number and attack to be nonexistent
[
|
{
|
"_id": ObjectId("6078ab09c3006933c653edcd"),
|
"name": "apples",
|
"qty": "yep",
|
"attack": "<scripts>alert(\"boo!\")</scripts>"
|
},
|
{
|
"_id": ObjectId("6078ab09c3006933c653edce"),
|
"name": "peaches",
|
"qty": "yep",
|
"attack": "<scripts>alert(\"boo!\")</scripts>"
|
},
|
...
|
]
|
Additional Notes
I set up a Gist here using the Mongoose driver.
https://gist.github.com/jwerre/ef447dc1d60a48865c8574dff73d7a69