fix: disallow nested $where in populate match

Author: vkarpov15

lib/helpers/populate/getModelsMapForPopulate.js

@@ -182,15 +182,7 @@ module.exports = function getModelsMapForPopulate(model, docs, options) {
     if (hasMatchFunction) {
       match = match.call(doc, doc);
     }
-    if (Array.isArray(match)) {
-      for (const item of match) {
-        if (item != null && item.$where) {
-          throw new MongooseError('Cannot use $where filter with populate() match');
-        }
-      }
-    } else if (match != null && match.$where != null) {
-      throw new MongooseError('Cannot use $where filter with populate() match');
-    }
+    throwOn$where(match);
     data.match = match;
     data.hasMatchFunction = hasMatchFunction;
     data.isRefPath = isRefPath;
@@ -469,15 +461,7 @@ function _virtualPopulate(model, docs, options, _virtualRes) {
     data.match = match;
     data.hasMatchFunction = hasMatchFunction;
 
-    if (Array.isArray(match)) {
-      for (const item of match) {
-        if (item != null && item.$where) {
-          throw new MongooseError('Cannot use $where filter with populate() match');
-        }
-      }
-    } else if (match != null && match.$where != null) {
-      throw new MongooseError('Cannot use $where filter with populate() match');
-    }
+    throwOn$where(match);
 
     // Get local fields
     const ret = _getLocalFieldValues(doc, localField, model, options, virtual);
@@ -749,3 +733,24 @@ function _findRefPathForDiscriminators(doc, modelSchema, data, options, normaliz
 
   return modelNames;
 }
+
+/**
+ * Throw an error if there are any $where keys
+ */
+
+function throwOn$where(match) {
+  if (match == null) {
+    return;
+  }
+  if (typeof match !== 'object') {
+    return;
+  }
+  for (const key of Object.keys(match)) {
+    if (key === '$where') {
+      throw new MongooseError('Cannot use $where filter with populate() match');
+    }
+    if (match[key] != null && typeof match[key] === 'object') {
+      throwOn$where(match[key]);
+    }
+  }
+}

test/model.populate.test.js

@@ -4195,21 +4195,34 @@ describe('model: populate:', function() {
         const parent = await Parent.create({ name: 'Anakin', child: child._id });
 
         await assert.rejects(
-          () => Parent.findOne().populate({ path: 'child', match: { $where: 'console.log("oops!");' } }),
+          () => Parent.findOne().populate({ path: 'child', match: () => ({ $where: 'typeof console !== "undefined" ? doesNotExist("foo") : true;' }) }),
           /Cannot use \$where filter with populate\(\) match/
         );
         await assert.rejects(
-          () => Parent.find().populate({ path: 'child', match: { $where: 'console.log("oops!");' } }),
+          () => Parent.find().populate({ path: 'child', match: () => ({ $where: 'typeof console !== "undefined" ? doesNotExist("foo") : true;' }) }),
           /Cannot use \$where filter with populate\(\) match/
         );
         await assert.rejects(
-          () => parent.populate({ path: 'child', match: { $where: 'console.log("oops!");' } }),
+          () => parent.populate({ path: 'child', match: () => ({ $where: 'typeof console !== "undefined" ? doesNotExist("foo") : true;' }) }),
           /Cannot use \$where filter with populate\(\) match/
         );
         await assert.rejects(
-          () => Child.find().populate({ path: 'parent', match: { $where: 'console.log("oops!");' } }),
+          () => Child.find().populate({ path: 'parent', match: () => ({ $where: 'typeof console !== "undefined" ? doesNotExist("foo") : true;' }) }),
           /Cannot use \$where filter with populate\(\) match/
         );
+        await assert.rejects(
+          () => Child.find().populate({ path: 'parent', match: () => ({ $or: [{ $where: 'typeof console !== "undefined" ? doesNotExist("foo") : true;' }] }) }),
+          /Cannot use \$where filter with populate\(\) match/
+        );
+        await assert.rejects(
+          () => Child.find().populate({ path: 'parent', match: () => ({ $and: [{ $where: 'typeof console !== "undefined" ? doesNotExist("foo") : true;' }] }) }),
+          /Cannot use \$where filter with populate\(\) match/
+        );
+
+        class MyClass {}
+        MyClass.prototype.$where = 'typeof console !== "undefined" ? doesNotExist("foo") : true;';
+        // OK because sift only looks through own properties
+        await Child.find().populate({ path: 'parent', match: () => new MyClass() });
       });
 
       it('multiple source docs', function(done) {