Merge pull request #14985 from Automattic/vkarpov15/gh-14657

fix(query): make sanitizeFilter disable implicit $in
Automattic · Oct 28, 2024 · 663f21e · 663f21e
2 parents 429f855 + 6076d1f
commit 663f21e
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 1 deletion.
diff --git a/lib/cast.js b/lib/cast.js
@@ -28,6 +28,7 @@ const ALLOWED_GEOWITHIN_GEOJSON_TYPES = ['Polygon', 'MultiPolygon'];
  * @param {Object} [options] the query options
  * @param {Boolean|"throw"} [options.strict] Wheter to enable all strict options
  * @param {Boolean|"throw"} [options.strictQuery] Enable strict Queries
+ * @param {Boolean} [options.sanitizeFilter] avoid adding implict query selectors ($in)
  * @param {Boolean} [options.upsert]
  * @param {Query} [context] passed to setters
  * @api private
@@ -372,7 +373,7 @@ module.exports = function cast(schema, obj, options, context) {
 
           }
         }
-      } else if (Array.isArray(val) && ['Buffer', 'Array'].indexOf(schematype.instance) === -1) {
+      } else if (Array.isArray(val) && ['Buffer', 'Array'].indexOf(schematype.instance) === -1 && !options.sanitizeFilter) {
         const casted = [];
         const valuesArray = val;
 

diff --git a/lib/query.js b/lib/query.js
@@ -4900,6 +4900,9 @@ Query.prototype.cast = function(model, obj) {
       opts.strictQuery = this.options.strictQuery;
     }
   }
+  if ('sanitizeFilter' in this._mongooseOptions) {
+    opts.sanitizeFilter = this._mongooseOptions.sanitizeFilter;
+  }
 
   try {
     return cast(model.schema, obj, opts, this);

diff --git a/test/query.test.js b/test/query.test.js
@@ -3520,6 +3520,21 @@ describe('Query', function() {
     assert.ifError(q.error());
     assert.deepEqual(q._conditions, { username: 'val', pwd: { $gt: null } });
   });
+
+  it('sanitizeFilter disables implicit $in (gh-14657)', function() {
+    const schema = new mongoose.Schema({
+      name: {
+        type: String
+      }
+    });
+    const Test = db.model('Test', schema);
+
+    const q = Test.find({ name: ['foobar'] }).setOptions({ sanitizeFilter: true });
+    q._castConditions();
+    assert.ok(q.error());
+    assert.equal(q.error().name, 'CastError');
+  });
+
   it('should not error when $not is used with $size (gh-10716)', async function() {
     const barSchema = Schema({
       bar: String