fix: prevent prototype pollutions

Author: jankapunkt

src/Collection.js

@@ -9,12 +9,12 @@ import { hasOwn, isPlainObject } from '../lib/utils.js';
  * @private
  * @type {object}
  */
-const observers = {};
+const observers = Object.create(null);
 /**
  * @private
  * @type {object}
  */
-const observersByComp = {};
+const observersByComp = Object.create(null);
 /**
  * Get the list of callbacks for changes on a collection
  * @param {string} type - Type of change happening.
@@ -45,7 +45,7 @@ export function getObservers(type, collection, newDocument) {
  });
  }
  // Find the observers related to the specific query
- if (observersByComp[collection]) {
+ if (observersByComp[collection] && !(collection in {})) {
  let keys = Object.keys(observersByComp[collection]);
  for (let i = 0; i < keys.length; i++) {
  observersByComp[collection][keys[i]].callbacks.forEach(
@@ -243,14 +243,16 @@ export class Collection {
  // collection is changed it needs to be re-run
  if (Tracker.active && Tracker.currentComputation) {
  let id = Tracker.currentComputation._id;
- observersByComp[this._name] = observersByComp[this._name] || {};
+ observersByComp[this._name] =
+ observersByComp[this._name] || Object.create(null);
  if (!observersByComp[this._name][id]) {
  let item = {
  computation: Tracker.currentComputation,
  callbacks: [],
  };
  observersByComp[this._name][id] = item;
  }
+
  let item = observersByComp[this._name][id];
 
  item.callbacks.push({

test/src/Collection.tests.js

@@ -210,6 +210,20 @@ describe('Collection', function () {
  done();
  });
  });
+ it('triggers a reactive observer', (done) => {
+ const collectionName = Random.id(6);
+ const c = new Mongo.Collection(collectionName);
+
+ Tracker.autorun((comp) => {
+ const doc = c.findOne({ foo: 1 });
+ if (doc) {
+ comp.stop();
+ done();
+ }
+ });
+
+ setTimeout(() => c.insert({ foo: 1 }), 50);
+ });
  it('does not imply prototype pollution', (done) => {
  const collectionName = Random.id(6);
  const c = new Mongo.Collection(collectionName);
@@ -221,15 +235,29 @@ describe('Collection', function () {
  });
 
  Tracker.autorun((comp) => {
- const docs = c.find(insertDoc).fetch();
- expect(props({})).to.deep.equal(objectProps);
- if (docs.length > 0) {
+ if (c.find().count() < 1) {
+ return;
+ }
+
+ c._name = '__proto__';
+ try {
+ c.find(insertDoc);
+ } catch {}
+ try {
+ expect(props({})).to.deep.equal(objectProps);
+ } catch (e) {
  comp.stop();
- done();
+ return done(e);
  }
+
+ comp.stop();
+ done();
  });
 
- setTimeout(() => c.insert(insertDoc), 50);
+ setTimeout(() => {
+ c._name = collectionName;
+ c.insert(insertDoc);
+ }, 50);
  });
  });