Critical - P2 Problem Description
When using the select statement with an object and String values the result is replaced with the values from the select statement. I tried it out in 4.0 and 4.2 and this is not an issue. This is only an issue in version 4.4.
Steps to Reproduce
(function(){ const products = [ 'apples', 'peaches', 'bananas', 'oranges', 'grapes', 'watermelons', ]; for (let product of products) { let item = { id: new Date().getTime(), name: product, qty: Math.round( Math.random() * (50 - 1) + 1 ) } db.products.save(item); } let results = db.products.find({}, {name:1, qty:'You have none!!', attack:'<scripts>alert("boo!")</scripts>'}); printjson(results.toArray()); db.products.drop(); })();
Expected Results
The expected results would be the actual values from the database not fake results from the select statement.
[
{
"_id": ObjectId("6078ad7cc3006933c653ede5"),
"name": "apples",
"qty": 44
},
{
"_id": ObjectId("6078ad7cc3006933c653ede6"),
"name": "peaches",
"qty": 47
},
{
"_id": ObjectId("6078ad7cc3006933c653ede7"),
"name": "bananas",
"qty": 14
},
{
"_id": ObjectId("6078ad7cc3006933c653ede8"),
"name": "oranges",
"qty": 14
},
{
"_id": ObjectId("6078ad7cc3006933c653ede9"),
"name": "grapes",
"qty": 16
},
{
"_id": ObjectId("6078ad7cc3006933c653edea"),
"name": "watermelons",
"qty": 45
}
]
Actual Results
I would expect quantity to be a number and attack to be nonexistent
[
{
"_id": ObjectId("6078ab09c3006933c653edcd"),
"name": "apples",
"qty": "yep",
"attack": "<scripts>alert(\"boo!\")</scripts>"
},
{
"_id": ObjectId("6078ab09c3006933c653edce"),
"name": "peaches",
"qty": "yep",
"attack": "<scripts>alert(\"boo!\")</scripts>"
},
...
]
Additional Notes
I set up a Gist here using the Mongoose driver.
https://gist.github.com/jwerre/ef447dc1d60a48865c8574dff73d7a69