DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
JavaScript

JavaScript

Made by DeepSource
Use Analyzer

Object.prototype builtins should not be used directly JS-0021

Bug risk
Major
 Autofix

It is preferable to call certain Object.prototype methods through Object on object instances instead of using the builtins directly.

Objects can have properties that shadow the builtins on Object.prototype, potentially causing unintended behavior or denial-of-service security vulnerabilities.

For example, it would be unsafe for a webserver to parse JSON input from a client and call hasOwnProperty directly on the resulting object, because a malicious client could send a JSON value like {"hasOwnProperty": 1} and cause the server to crash.

It's better to always call these methods from Object.prototype. For example, obj.hasOwnProperty("bar") should be replaced with Object.prototype.hasOwnProperty.call(obj, "bar").

Bad Practice

let hasBarProperty = obj.hasOwnProperty("property");

let isPrototypeOfBar = obj.isPrototypeOf(property);

let barIsEnumerable = obj.propertyIsEnumerable("property");

Recommended

let hasBarProperty = Object.prototype.hasOwnProperty.call(obj, "property");

let isPrototypeOfBar = Object.prototype.isPrototypeOf.call(obj, property);

let barIsEnumerable = {}.propertyIsEnumerable.call(obj, "property");