feat(NODE-6225): add property ownership check before referencing mongocryptdSpawnPath and mongocryptdSpawnArgs (#4151)

vuusale · durran · web-flow · commit f48f8d36cf96 · 2024-07-01T11:59:23.000-04:00
Co-authored-by: Durran Jordan &lt;durran@gmail.com&gt;
diff --git a/src/client-side-encryption/mongocryptd_manager.ts b/src/client-side-encryption/mongocryptd_manager.ts
@@ -12,8 +12,8 @@ export class MongocryptdManager {
 
   uri: string;
   bypassSpawn: boolean;
-  spawnPath: string;
-  spawnArgs: Array<string>;
+  spawnPath = '';
+  spawnArgs: Array<string> = [];
   _child?: ChildProcess;
 
   constructor(extraOptions: AutoEncryptionExtraOptions = {}) {
@@ -24,9 +24,13 @@ export class MongocryptdManager {
 
     this.bypassSpawn = !!extraOptions.mongocryptdBypassSpawn;
 
-    this.spawnPath = extraOptions.mongocryptdSpawnPath || '';
-    this.spawnArgs = [];
-    if (Array.isArray(extraOptions.mongocryptdSpawnArgs)) {
+    if (Object.hasOwn(extraOptions, 'mongocryptdSpawnPath') && extraOptions.mongocryptdSpawnPath) {
+      this.spawnPath = extraOptions.mongocryptdSpawnPath;
+    }
+    if (
+      Object.hasOwn(extraOptions, 'mongocryptdSpawnArgs') &&
+      Array.isArray(extraOptions.mongocryptdSpawnArgs)
+    ) {
       this.spawnArgs = this.spawnArgs.concat(extraOptions.mongocryptdSpawnArgs);
     }
     if (
diff --git a/test/unit/client-side-encryption/mongocryptd_manager.test.ts b/test/unit/client-side-encryption/mongocryptd_manager.test.ts
@@ -22,6 +22,16 @@ describe('MongocryptdManager', function () {
     expect(mcdm.spawnArgs).to.deep.equal(['--idleShutdownTimeoutSecs', '12']);
   });
 
+  it('does not allow prototype pollution on spawn path', function () {
+    const mcdm = new MongocryptdManager({ __proto__: { mongocryptdSpawnPath: 'test' } });
+    expect(mcdm.spawnPath).to.equal('');
+  });
+
+  it('does not allow prototype pollution on spawn args', function () {
+    const mcdm = new MongocryptdManager({ __proto__: { mongocryptdSpawnArgs: ['test'] } });
+    expect(mcdm.spawnArgs).to.deep.equal(['--idleShutdownTimeoutSecs', '60']);
+  });
+
   it('should not override `idleShutdownTimeoutSecs` if the user sets it using `key=value` form', function () {
     const mcdm = new MongocryptdManager({
       mongocryptdSpawnArgs: ['--idleShutdownTimeoutSecs=12']
diff --git a/tsconfig.json b/tsconfig.json
@@ -10,7 +10,8 @@
     "skipLibCheck": true,
     "lib": [
       "es2021",
-      "ES2022.Error"
+      "ES2022.Error",
+      "ES2022.Object"
     ],
     // We don't make use of tslib helpers, all syntax used is supported by target engine
     "importHelpers": false,
