feat(query): make sanitizeProjection prevent projecting in paths deselected in the schema

[vkarpov15]

Summary

sanitizeProjection option currently exists to prevent cases like select({ name: '$password' }), which would cause the name property to contain the value of the password property in newer versions of MongoDB.

While that is helpful, sanitizeProjection can do a bit more to prevent inclusion of sensitive data when the projection is potentially untrusted. With this PR, if sanitizeProjection is enabled, there is no way to project in a field that's deselected with select: false in the schema definition. If password has { type: String, select: false } and sanitizeProjection is set, then select('+password'), select('password'), etc. will be ignored.

@hasezoey what do you think about this PR, is this a reasonable feature and do you think it's reasonable to ship in 8.5?

Examples

[hasezoey]

@hasezoey what do you think about this PR, is this a reasonable feature and do you think it's reasonable to ship in 8.5?

i think it is reasonable to ship it with 8.5.0.

---

i personally have not used this yet, but wouldnt this (according to the test cases) completely disable find().select("+field -field"), or is this just for fields which have a schema select: false?

as a side note, i had tried to search for option sanitizeProjection in the documentation, and the only mention of this is in Query.prototype.setOptions as The following options are only for find(), findOne(), findById(), findOneAndUpdate(), findOneAndReplace(), findOneAndDelete(), and findByIdAndUpdate():, no documentation about what this option does.

[vkarpov15]

@hasezoey re: select('+field'), just for + and just for fields that have select: false in the schema. Other fields are fine. I also added a Query.prototype.sanitizeProjection method in 0904a18 and added docs with examples to address the docs issue.