npm - mongoose - Versions diffs - 8.9.4 → 8.9.5 - Mend

mongoose 8.9.4 → 8.9.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/browser.umd.js +1 -1
package/lib/helpers/populate/getModelsMapForPopulate.js +23 -18
package/lib/schema/bigint.js +1 -1
package/lib/schema/boolean.js +1 -1
package/lib/schema/int32.js +7 -2
package/package.json +1 -1
package/valnotes.md +85 -0

package/lib/helpers/populate/getModelsMapForPopulate.js CHANGED Viewed

@@ -191,15 +191,7 @@ module.exports = function getModelsMapForPopulate(model, docs, options) {
     if (hasMatchFunction) {
       match = match.call(doc, doc);
     }
-    if (Array.isArray(match)) {
-      for (const item of match) {
-        if (item != null && item.$where) {
-          throw new MongooseError('Cannot use $where filter with populate() match');
-        }
-      }
-    } else if (match != null && match.$where != null) {
-      throw new MongooseError('Cannot use $where filter with populate() match');
-    }
+    throwOn$where(match);
     data.match = match;
     data.hasMatchFunction = hasMatchFunction;
     data.isRefPath = isRefPath;
@@ -463,15 +455,7 @@ function _virtualPopulate(model, docs, options, _virtualRes) {
     data.match = match;
     data.hasMatchFunction = hasMatchFunction;
-    if (Array.isArray(match)) {
-      for (const item of match) {
-        if (item != null && item.$where) {
-          throw new MongooseError('Cannot use $where filter with populate() match');
-        }
-      }
-    } else if (match != null && match.$where != null) {
-      throw new MongooseError('Cannot use $where filter with populate() match');
-    }
+    throwOn$where(match);
     // Get local fields
     const ret = _getLocalFieldValues(doc, localField, model, options, virtual);
@@ -759,3 +743,24 @@ function _findRefPathForDiscriminators(doc, modelSchema, data, options, normaliz
   return modelNames;
 }
+/**
+ * Throw an error if there are any $where keys
+ */
+function throwOn$where(match) {
+  if (match == null) {
+    return;
+  }
+  if (typeof match !== 'object') {
+    return;
+  }
+  for (const key of Object.keys(match)) {
+    if (key === '$where') {
+      throw new MongooseError('Cannot use $where filter with populate() match');
+    }
+    if (match[key] != null && typeof match[key] === 'object') {
+      throwOn$where(match[key]);
+    }
+  }
+}

package/lib/schema/bigint.js CHANGED Viewed

@@ -209,7 +209,7 @@ SchemaBigInt.prototype.castForQuery = function($conditional, val, context) {
       return handler.call(this, val);
     }
-    return this.applySetters(null, val, context);
+    return this.applySetters(val, context);
   }
   try {

package/lib/schema/boolean.js CHANGED Viewed

@@ -253,7 +253,7 @@ SchemaBoolean.prototype.castForQuery = function($conditional, val, context) {
       return handler.call(this, val);
     }
-    return this.applySetters(null, val, context);
+    return this.applySetters(val, context);
   }
   try {

package/lib/schema/int32.js CHANGED Viewed

@@ -7,6 +7,7 @@
 const CastError = require('../error/cast');
 const SchemaType = require('../schemaType');
 const castInt32 = require('../cast/int32');
+const handleBitwiseOperator = require('./operators/bitwise');
 /**
  * Int32 SchemaType constructor.
@@ -200,7 +201,11 @@ SchemaInt32.$conditionalHandlers = {
   $gt: handleSingle,
   $gte: handleSingle,
   $lt: handleSingle,
-  $lte: handleSingle
+  $lte: handleSingle,
+  $bitsAllClear: handleBitwiseOperator,
+  $bitsAnyClear: handleBitwiseOperator,
+  $bitsAllSet: handleBitwiseOperator,
+  $bitsAnySet: handleBitwiseOperator
 };
 /*!
@@ -228,7 +233,7 @@ SchemaInt32.prototype.castForQuery = function($conditional, val, context) {
       return handler.call(this, val);
     }
-    return this.applySetters(null, val, context);
+    return this.applySetters(val, context);
   }
   try {

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "mongoose",
   "description": "Mongoose MongoDB ODM",
-  "version": "8.9.4",
+  "version": "8.9.5",
   "author": "Guillermo Rauch <guillermo@learnboost.com>",
   "keywords": [
     "mongodb",

package/valnotes.md ADDED Viewed

@@ -0,0 +1,85 @@
+## sift where
+```
+      it('match prevents using $where', async function() {
+        const ParentSchema = new Schema({
+          name: String,
+          child: {
+            type: mongoose.Schema.Types.ObjectId,
+            ref: 'Child'
+          },
+          children: [{
+            type: mongoose.Schema.Types.ObjectId,
+            ref: 'Child'
+          }]
+        });
+        const ChildSchema = new Schema({
+          name: String
+        });
+        ChildSchema.virtual('parent', {
+          ref: 'Parent',
+          localField: '_id',
+          foreignField: 'parent'
+        });
+        const Parent = db.model('Parent', ParentSchema);
+        const Child = db.model('Child', ChildSchema);
+        const child = await Child.create({ name: 'Luke' });
+        const parent = await Parent.create({ name: 'Anakin', child: child._id });
+        await assert.rejects(
+          () => Parent.findOne().populate({ path: 'child', match: () => ({ $where: 'typeof console !== "undefined" ? doesNotExist("foo") : true;' }) }),
+          /Cannot use \$where filter with populate\(\) match/
+        );
+        await assert.rejects(
+          () => Parent.find().populate({ path: 'child', match: () => ({ $where: 'typeof console !== "undefined" ? doesNotExist("foo") : true;' }) }),
+          /Cannot use \$where filter with populate\(\) match/
+        );
+        await assert.rejects(
+          () => parent.populate({ path: 'child', match: () => ({ $where: 'typeof console !== "undefined" ? doesNotExist("foo") : true;' }) }),
+          /Cannot use \$where filter with populate\(\) match/
+        );
+        await assert.rejects(
+          () => Child.find().populate({ path: 'parent', match: () => ({ $where: 'typeof console !== "undefined" ? doesNotExist("foo") : true;' }) }),
+          /Cannot use \$where filter with populate\(\) match/
+        );
+        await assert.rejects(
+          () => Child.find().populate({ path: 'parent', match: () => ({ $or: [{ $where: 'typeof console !== "undefined" ? doesNotExist("foo") : true;' }] }) }),
+          /Cannot use \$where filter with populate\(\) match/
+        );
+        await assert.rejects(
+          () => Child.find().populate({ path: 'parent', match: () => ({ $and: [{ $where: 'typeof console !== "undefined" ? doesNotExist("foo") : true;' }] }) }),
+          /Cannot use \$where filter with populate\(\) match/
+        );
+        class MyClass {}
+        MyClass.prototype.$where = 'typeof console !== "undefined" ? doesNotExist("foo") : true;';
+        // OK because sift only looks through own properties
+        await Child.find().populate({ path: 'parent', match: () => new MyClass() });
+      });
+```
+```
+/**
+ * Throw an error if there are any $where keys
+ */
+function throwOn$where(match) {
+  if (match == null) {
+    return;
+  }
+  if (typeof match !== 'object') {
+    return;
+  }
+  for (const key of Object.keys(match)) {
+    if (key === '$where') {
+      throw new MongooseError('Cannot use $where filter with populate() match');
+    }
+    if (match[key] != null && typeof match[key] === 'object') {
+      throwOn$where(match[key]);
+    }
+  }
+}
+```