Fixed insufficient input validation

objectid.d.ts

@@ -7,8 +7,11 @@ export default ObjectID;
 declare class ObjectID {
     static createFromTime(time: number): ObjectID;
     static createFromHexString(hexString: string): ObjectID;
+    static createFromObject(obj: object): ObjectID;
     static isValid(hexString: string):boolean;
     static isValid(ObjectID: ObjectID):boolean;
+    static hasRequiredProps(input: object): boolean;
+    static sanitizeObject(input: object): object;
     static generate(): string;
     static generate(time: number): string;
     static toString():string;

objectid.js

@@ -28,8 +28,11 @@ var isBuffer = function (obj) {
  */
 function ObjectID(arg) {
   if(!(this instanceof ObjectID)) return new ObjectID(arg);
-  if(arg && ((arg instanceof ObjectID) || arg._bsontype==="ObjectID"))
-    return arg;
+  // attempt at addressing comments 6-7 https://github.com/williamkapke/bson-objectid/issues/30
+  if(arg && ObjectID.hasRequiredProps(arg)) {
+    ObjectID.sanitizeObject(arg);
+    return ObjectID.createFromObject(arg);
+  }
 
   var buf;
 
@@ -84,6 +87,20 @@ ObjectID.createFromHexString = function(hexString) {
   return new ObjectID(hexString);
 };
 
+/**
+ * Creates an ObjectID from an object.
+ *
+ * @param obj
+ * @return {ObjectID} return the created ObjectID
+ * @api public
+ */
+ObjectID.createFromObject = function(obj) {
+  if (!ObjectID.isValid(obj.id))
+    throw new Error("Invalid object");
+
+  return new ObjectID(obj.id);
+};
+
 /**
  * Checks if a value is a valid bson ObjectId
  *
@@ -95,13 +112,38 @@ ObjectID.createFromHexString = function(hexString) {
  * http://mongodb.github.io/node-mongodb-native/api-bson-generated/objectid.html#objectid-isvalid
  */
 ObjectID.isValid = function(objectid) {
-  if(!objectid || (typeof objectid !== 'string' && (typeof objectid !== 'object' || typeof objectid.toString !== 'function'))) return false;
+  if(!objectid || (typeof objectid !== 'string' && (typeof objectid !== 'object' || typeof objectid.toString !== 'function')))
+    return false;
 
   //call .toString() to get the hex if we're
   // working with an instance of ObjectID
   return /^[0-9A-F]{24}$/i.test(objectid.toString());
 };
 
+/**
+ * Checks if an object argument has the properties we need to create an ObjectID
+ *
+ * @param arg
+ * @returns {boolean|boolean}
+ */
+ObjectID.hasRequiredProps = function(arg) {
+  return ((arg instanceof ObjectID) || (arg._bsontype==='ObjectID' && arg.id !== undefined));
+};
+
+/**
+ * Removes unwanted properties from an object.
+ *
+ * @param obj
+ */
+ObjectID.sanitizeObject = function(obj) {
+  let res = Object.getOwnPropertyNames(obj);
+  for (let i=0; i < res.length; i++) {
+    if (res[i] !== '_bsontype' && res[i] !== 'id' && res[i] !== 'str') {
+      delete obj[res[i]];
+    }
+  }
+};
+
 /**
  * set a custom machineID
  * 

test/test.js

@@ -180,5 +180,18 @@ describe("ObjectIDs", function() {
     obj.toString.should.not.be.ok;
     ObjectID.isValid(obj).should.not.be.ok;
   });
-});
 
+  it('should not allow insertion of an arbitrary property', function() {
+    var json = {
+      "mal_formkey": {
+        "payload": "xxxx"
+      },
+      "_bsontype": "ObjectID",
+      "id": "5eecccdc951ca34d04e3ff65",
+    };
+
+    var obj = ObjectID(json);
+    obj.should.be.instanceof(ObjectID);
+    obj.toString().should.eql("5eecccdc951ca34d04e3ff65");
+  });
+});