Facepalm:
var thing = new Thing(req.body);
Slightly saner:
var okFields = {};
okFields.safe = req.body.safe
var thing = new Thing(okFields);
//Also helpful for longer whitelists from underscore: _.pick(req.body, "safe");
//Also feel free to add some, y'know, data validation either here or in mongoose
Just don't do that. Rails has taught you a terrible antipattern. But to answer your question, AFAIK mongoose nor mongodb has no mechanism to enforce anything analogous to rails's attr_accessible or any concept of tainted variables.