datastore: prevent manipulating user input during save

Author: stephenplusplus

lib/datastore/request.js

@@ -390,7 +390,9 @@ DatastoreRequest.prototype.save = function(entities, callback) {
 
       if (Array.isArray(entityObject.data)) {
         ent.property = entityObject.data.map(function(data) {
-          data.value = entity.valueToProperty(data.value);
+          data = extend(true, {}, data, {
+            value: entity.valueToProperty(data.value)
+          });
 
           if (is.boolean(data.excludeFromIndexes)) {
             var indexed = !data.excludeFromIndexes;

test/datastore/request.js

@@ -455,6 +455,29 @@ describe('Request', function() {
       ], done);
     });
 
+    it('should not alter the provided data object', function(done) {
+      var data = [
+        {
+          name: 'test-name',
+          value: {
+            a: 'b',
+            c: [1, 2, 3]
+          },
+          indexed: false
+        }
+      ];
+      var expectedData = extend(true, {}, data);
+
+      request.makeReq_ = function(method, req) {
+        // By the time the request is made, the original object has already been
+        // transformed into a raw request.
+        assert.deepEqual(data, expectedData);
+        done();
+      };
+
+      request.save({ key: key, data: data }, assert.ifError);
+    });
+
     it('should return apiResponse in callback', function(done) {
       var key = new entity.Key({ namespace: 'ns', path: ['Company'] });
       var mockCommitResponse = {