# no-prototype-builtins

Disallow direct use of Object.prototype builtins directly.

ES 5.1 added Object.create which allows creation of object with a custom prototype. This pattern is frequently used for objects used as Maps. However this pattern can lead to errors if something else relies on prototype properties/methods.

Moreover, the methods could be shadowed, this can lead to random bugs and denial of service vulnerabilities. For example, calling hasOwnProperty directly on parsed json could lead to vulnerabilities. Instead, you should use get the method directly from the object using Object.prototype.prop.call(item, args).

# Invalid Code Examples

var bar = foo.hasOwnProperty("bar");

var bar = foo.isPrototypeOf(bar);

var bar = foo.propertyIsEnumerable("bar");

# Correct Code Examples

var bar = Object.prototype.hasOwnProperty.call(foo, "bar");

var bar = Object.prototype.isPrototypeOf.call(foo, bar);

var bar = Object.propertyIsEnumerable.call(foo, "bar");
More incorrect examples
foo.hasOwnProperty("bar");
foo.isPrototypeOf("bar");
foo.propertyIsEnumberable("bar");
foo.bar.baz.hasOwnProperty("bar");
More correct examples
Object.prototype.hasOwnProperty.call(foo, 'bar');
Object.prototype.isPrototypeOf.call(foo, 'bar');
Object.prototype.propertyIsEnumberable.call(foo, 'bar');
Object.prototype.hasOwnProperty.apply(foo, ['bar']);
Object.prototype.isPrototypeOf.apply(foo, ['bar']);
Object.prototype.propertyIsEnumberable.apply(foo, ['bar']);
hasOwnProperty(foo, 'bar');
isPrototypeOf(foo, 'bar');
propertyIsEnumberable(foo, 'bar');
({}.hasOwnProperty.call(foo, 'bar'));
({}.isPrototypeOf.call(foo, 'bar'));
({}.propertyIsEnumberable.call(foo, 'bar'));
({}.hasOwnProperty.apply(foo, ['bar']));
({}.isPrototypeOf.apply(foo, ['bar']));
({}.propertyIsEnumberable.apply(foo, ['bar']));

Source (opens new window)

Last Updated: 11/18/2020, 9:36:33 PM