Problem Description
When using the select statement with an object and String values the result is replaced with the values from the select statement. I tried it out in 4.0 and 4.2 and this is not an issue. This is only an issue in version 4.4.
Steps to Reproduce
(function(){ const products = [ 'apples', 'peaches', 'bananas', 'oranges', 'grapes', 'watermelons', ]; for (let product of products) { let item = { id: new Date().getTime(), name: product, qty: Math.round( Math.random() * (50 - 1) + 1 ) } db.products.save(item); } let results = db.products.find({}, {name:1, qty:'You have none!!', attack:'<scripts>alert("boo!")</scripts>'}); printjson(results.toArray()); db.products.drop(); })();
Expected Results
The expected results would be the actual values from the database not fake results from the select statement.
[ { "_id": ObjectId("6078ad7cc3006933c653ede5"), "name": "apples", "qty": 44 }, { "_id": ObjectId("6078ad7cc3006933c653ede6"), "name": "peaches", "qty": 47 }, { "_id": ObjectId("6078ad7cc3006933c653ede7"), "name": "bananas", "qty": 14 }, { "_id": ObjectId("6078ad7cc3006933c653ede8"), "name": "oranges", "qty": 14 }, { "_id": ObjectId("6078ad7cc3006933c653ede9"), "name": "grapes", "qty": 16 }, { "_id": ObjectId("6078ad7cc3006933c653edea"), "name": "watermelons", "qty": 45 } ]
Actual Results
I would expect quantity to be a number and attack to be nonexistent
[ { "_id": ObjectId("6078ab09c3006933c653edcd"), "name": "apples", "qty": "yep", "attack": "<scripts>alert(\"boo!\")</scripts>" }, { "_id": ObjectId("6078ab09c3006933c653edce"), "name": "peaches", "qty": "yep", "attack": "<scripts>alert(\"boo!\")</scripts>" }, ... ]
Additional Notes
I set up a Gist here using the Mongoose driver.
https://gist.github.com/jwerre/ef447dc1d60a48865c8574dff73d7a69