fix(object-id): harden the duck-typing

The insufficient validation may otherwise lead to type confusions.

REF: NODE-2618
Signed-off-by: Jakob Ackermann <[email protected]>

Author: das7pad

lib/objectid.js

@@ -85,7 +85,7 @@ class ObjectId {
     } else if (id != null && id.length === 12) {
       // assume 12 byte string
       this.id = id;
-    } else if (id != null && id.toHexString) {
+    } else if (id != null && typeof id.toHexString === 'function') {
       // Duck-typing to support ObjectId from different npm packages
       return ObjectId.createFromHexString(id.toHexString());
     } else {
@@ -338,7 +338,10 @@ class ObjectId {
     }
 
     // Duck-Typing detection of ObjectId like objects
-    if (id.toHexString) {
+    if (
+      typeof id.toHexString === 'function' &&
+      (id.id instanceof _Buffer || typeof id.id === 'string')
+    ) {
       return id.id.length === 12 || (id.id.length === 24 && checkForHexRegExp.test(id.id));
     }