noPrototypeBuiltins
Summary
Section titled “Summary”- Rule available since:
v1.1.0 - Diagnostic Category:
lint/suspicious/noPrototypeBuiltins - This rule is recommended, which means is enabled by default.
- This rule has a safe fix.
- The default severity of this rule is warning.
- Sources:
- Same as
no-prototype-builtins - Same as
prefer-object-has-own
- Same as
How to configure
Section titled “How to configure”{ "linter": { "rules": { "suspicious": { "noPrototypeBuiltins": "error" } } }}Description
Section titled “Description”Disallow direct use of Object.prototype builtins.
ECMAScript 5.1 added Object.create which allows the creation of an object with a custom prototype.
This pattern is often used for objects used as Maps. However, this pattern can lead to errors
if something else relies on prototype properties/methods.
Moreover, the methods could be shadowed, this can lead to random bugs and denial of service
vulnerabilities. For example, calling hasOwnProperty directly on parsed JSON like {"hasOwnProperty": 1} could lead to vulnerabilities.
To avoid subtle bugs like this, you should call these methods from Object.prototype.
For example, foo.isPrototypeOf(bar) should be replaced with Object.prototype.isPrototypeOf.call(foo, "bar")
As for the hasOwn method, foo.hasOwn("bar") should be replaced with Object.hasOwn(foo, "bar").
Examples
Section titled “Examples”Invalid
Section titled “Invalid”var invalid = foo.hasOwnProperty("bar");code-block.js:1:19 lint/suspicious/noPrototypeBuiltins FIXABLE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠ Do not access Object.prototype method ‘hasOwnProperty’ from target object.
> 1 │ var invalid = foo.hasOwnProperty(“bar”);
│ ^^^^^^^^^^^^^^
2 │
ℹ It’s recommended using Object.hasOwn() instead of using Object.hasOwnProperty().
ℹ See MDN web docs for more details.
ℹ Safe fix: Use ‘Object.hasOwn()’ instead.
1 │ - var·invalid·=·foo.hasOwnProperty(“bar”);
1 │ + var·invalid·=·Object.hasOwn(foo,·“bar”);
2 2 │
var invalid = foo.isPrototypeOf(bar);code-block.js:1:19 lint/suspicious/noPrototypeBuiltins ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠ Do not access Object.prototype method ‘isPrototypeOf’ from target object.
> 1 │ var invalid = foo.isPrototypeOf(bar);
│ ^^^^^^^^^^^^^
2 │
var invalid = foo.propertyIsEnumerable("bar");code-block.js:1:19 lint/suspicious/noPrototypeBuiltins ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠ Do not access Object.prototype method ‘propertyIsEnumerable’ from target object.
> 1 │ var invalid = foo.propertyIsEnumerable(“bar”);
│ ^^^^^^^^^^^^^^^^^^^^
2 │
Object.hasOwnProperty.call(foo, "bar");code-block.js:1:1 lint/suspicious/noPrototypeBuiltins FIXABLE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠ Do not access Object.prototype method ‘hasOwnProperty’ from target object.
> 1 │ Object.hasOwnProperty.call(foo, “bar”);
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2 │
ℹ It’s recommended using Object.hasOwn() instead of using Object.hasOwnProperty().
ℹ See MDN web docs for more details.
ℹ Safe fix: Use ‘Object.hasOwn()’ instead.
1 │ - Object.hasOwnProperty.call(foo,·“bar”);
1 │ + Object.hasOwn(foo,·“bar”);
2 2 │
var valid = Object.hasOwn(foo, "bar");var valid = Object.prototype.isPrototypeOf.call(foo, bar);var valid = {}.propertyIsEnumerable.call(foo, "bar");Related links
Section titled “Related links”Copyright (c) 2023-present Biome Developers and Contributors.