Fix Automattic/mongoose#2313: don't let user accidentally clobber geoNear params

christkv · christkv · commit f681fa65740d · 2014-11-14T15:20:54.000+01:00
diff --git a/HISTORY.md b/HISTORY.md
@@ -4,6 +4,8 @@
 - Bumped mongodb-core to 1.1.1 to take advantage of the prototype based refactorings.
 - Implemented missing aspects of the CRUD specification.
 - Fixed documentation issues.
+- Fixed global leak REFERENCE_BY_ID in gridfs grid_store (Issue #1225, https://github.com/j)
+- Fix LearnBoost/mongoose#2313: don't let user accidentally clobber geoNear params (Issue #1223, https://github.com/vkarpov15)
 
 2.0.5 2014-10-29
 ----------------
diff --git a/lib/collection.js b/lib/collection.js
@@ -1559,8 +1559,16 @@ Collection.prototype.geoNear = function(x, y, options, callback) {
   // Ensure we have the right read preference inheritance
   options = getReadPreference(this, options, this.s.db, this);
 
-  // Remove read preference from hash if it exists
-  commandObject = decorateCommand(commandObject, options, {readPreference: true});
+  // Exclude readPreference and existing options to prevent user from
+  // shooting themselves in the foot
+  var exclude = {
+    readPreference: true, 
+    geoNear: true,
+    near: true  
+  };
+
+  // Filter out any excluded objects
+  commandObject = decorateCommand(commandObject, options, exclude);
 
   // Execute the command
   this.s.db.command(commandObject, options, function (err, res) {
diff --git a/test/functional/readpreference_tests.js b/test/functional/readpreference_tests.js
@@ -69,6 +69,48 @@ exports['Should correctly apply collection level read Preference to group'] = {
   }
 }
 
+
+/**
+ * Make sure user can't clobber geoNear options
+ *
+ * @_class collection
+ * @_function geoNear
+ * @ignore
+ */
+exports['shouldNotAllowUserToClobberGeoNearWithOptions'] = {
+  metadata: { requires: { topology: ['single', 'ssl'] } },  
+  
+  // The actual test we wish to run
+  test: function(configuration, test) {
+    var db = configuration.newDbInstance({w:1}, {poolSize:1});
+
+    // Establish connection to db
+    db.open(function(err, db) {
+     
+      // Fetch the collection
+      var collection = db.collection("simple_geo_near_command");
+
+      // Add a location based index
+      collection.ensureIndex({loc:"2d"}, function(err, result) {
+
+        // Save a new location tagged document
+        collection.insert([{a:1, loc:[50, 30]}, {a:1, loc:[30, 50]}], {w:1}, function(err, result) {
+          // Try to intentionally clobber the underlying geoNear option
+          var options = {query:{a:1}, num:1, geoNear: 'bacon', near: 'butter' };
+
+          // Use geoNear command to find document
+          collection.geoNear(50, 50, options, function(err, docs) {
+            test.equal(1, docs.results.length);
+
+            db.close();
+            test.done();
+          });
+        });
+      });
+    });
+  }
+};
+
 /**
  * @ignore
  */
