noPrototypeBuiltins
Diagnostic Category: lint/suspicious/noPrototypeBuiltins
Since: v1.1.0
Sources:
- Same as:
no-prototype-builtins
- Same as:
prefer-object-has-own
Disallow direct use of Object.prototype
builtins.
ECMAScript 5.1 added Object.create
which allows the creation of an object with a custom prototype.
This pattern is often used for objects used as Maps. However, this pattern can lead to errors
if something else relies on prototype properties/methods.
Moreover, the methods could be shadowed, this can lead to random bugs and denial of service
vulnerabilities. For example, calling hasOwnProperty
directly on parsed JSON like {"hasOwnProperty": 1}
could lead to vulnerabilities.
To avoid subtle bugs like this, you should call these methods from Object.prototype
.
For example, foo.isPrototypeOf(bar)
should be replaced with Object.prototype.isPrototypeOf.call(foo, "bar")
As for the hasOwn
method, foo.hasOwn("bar")
should be replaced with Object.hasOwn(foo, "bar")
.
Examples
Section titled ExamplesInvalid
Section titled Invalidcode-block.js:1:19 lint/suspicious/noPrototypeBuiltins FIXABLE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ Do not access Object.prototype method ‘hasOwnProperty’ from target object.
> 1 │ var invalid = foo.hasOwnProperty(“bar”);
│ ^^^^^^^^^^^^^^
2 │
ℹ It’s recommended using Object.hasOwn() instead of using Object.hasOwnProperty().
ℹ See MDN web docs for more details.
ℹ Safe fix: Use ‘Object.hasOwn()’ instead.
1 │ - var·invalid·=·foo.hasOwnProperty(“bar”);
1 │ + var·invalid·=·Object.hasOwn(foo,·“bar”);
2 2 │
code-block.js:1:19 lint/suspicious/noPrototypeBuiltins ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ Do not access Object.prototype method ‘isPrototypeOf’ from target object.
> 1 │ var invalid = foo.isPrototypeOf(bar);
│ ^^^^^^^^^^^^^
2 │
code-block.js:1:19 lint/suspicious/noPrototypeBuiltins ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ Do not access Object.prototype method ‘propertyIsEnumerable’ from target object.
> 1 │ var invalid = foo.propertyIsEnumerable(“bar”);
│ ^^^^^^^^^^^^^^^^^^^^
2 │
code-block.js:1:1 lint/suspicious/noPrototypeBuiltins FIXABLE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✖ Do not access Object.prototype method ‘hasOwnProperty’ from target object.
> 1 │ Object.hasOwnProperty.call(foo, “bar”);
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2 │
ℹ It’s recommended using Object.hasOwn() instead of using Object.hasOwnProperty().
ℹ See MDN web docs for more details.
ℹ Safe fix: Use ‘Object.hasOwn()’ instead.
1 │ - Object.hasOwnProperty.call(foo,·“bar”);
1 │ + Object.hasOwn(foo,·“bar”);
2 2 │