Skip to content

noPrototypeBuiltins

Diagnostic Category: lint/suspicious/noPrototypeBuiltins

Since: v1.1.0

Sources:

Disallow direct use of Object.prototype builtins.

ECMAScript 5.1 added Object.create which allows the creation of an object with a custom prototype. This pattern is often used for objects used as Maps. However, this pattern can lead to errors if something else relies on prototype properties/methods. Moreover, the methods could be shadowed, this can lead to random bugs and denial of service vulnerabilities. For example, calling hasOwnProperty directly on parsed JSON like {"hasOwnProperty": 1} could lead to vulnerabilities. To avoid subtle bugs like this, you should call these methods from Object.prototype. For example, foo.isPrototypeOf(bar) should be replaced with Object.prototype.isPrototypeOf.call(foo, "bar") As for the hasOwn method, foo.hasOwn("bar") should be replaced with Object.hasOwn(foo, "bar").

var invalid = foo.hasOwnProperty("bar");
code-block.js:1:19 lint/suspicious/noPrototypeBuiltins  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Do not access Object.prototype method ‘hasOwnProperty’ from target object.

> 1 │ var invalid = foo.hasOwnProperty(“bar”);
^^^^^^^^^^^^^^
2 │

It’s recommended using Object.hasOwn() instead of using Object.hasOwnProperty().

See MDN web docs for more details.

Safe fix: Use ‘Object.hasOwn()’ instead.

1 - var·invalid·=·foo.hasOwnProperty(bar);
1+ var·invalid·=·Object.hasOwn(foo,·bar);
2 2

var invalid = foo.isPrototypeOf(bar);
code-block.js:1:19 lint/suspicious/noPrototypeBuiltins ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Do not access Object.prototype method ‘isPrototypeOf’ from target object.

> 1 │ var invalid = foo.isPrototypeOf(bar);
^^^^^^^^^^^^^
2 │

var invalid = foo.propertyIsEnumerable("bar");
code-block.js:1:19 lint/suspicious/noPrototypeBuiltins ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Do not access Object.prototype method ‘propertyIsEnumerable’ from target object.

> 1 │ var invalid = foo.propertyIsEnumerable(“bar”);
^^^^^^^^^^^^^^^^^^^^
2 │

Object.hasOwnProperty.call(foo, "bar");
code-block.js:1:1 lint/suspicious/noPrototypeBuiltins  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Do not access Object.prototype method ‘hasOwnProperty’ from target object.

> 1 │ Object.hasOwnProperty.call(foo, “bar”);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2 │

It’s recommended using Object.hasOwn() instead of using Object.hasOwnProperty().

See MDN web docs for more details.

Safe fix: Use ‘Object.hasOwn()’ instead.

1 - Object.hasOwnProperty.call(foo,·bar);
1+ Object.hasOwn(foo,·bar);
2 2

var valid = Object.hasOwn(foo, "bar");
var valid = Object.prototype.isPrototypeOf.call(foo, bar);
var valid = {}.propertyIsEnumerable.call(foo, "bar");