Object.prototype builtins should not be used directly JS-0021
Bug risk
Major
2 years ago
—
2 years old
Do not access Object.prototype method 'hasOwnProperty' from target object.
1module.exports = {
2 I18N_HASH: 'generated_hash',
3 SERVER_API_URL: '',
4 __VERSION__: process.env.hasOwnProperty('APP_VERSION') ? process.env.APP_VERSION : 'DEV',5 __DEBUG_INFO_ENABLED__: false,
6};
Description
It is preferable to call certain Object.prototype methods through Object on object instances instead of using the builtins directly.
Objects can have properties that shadow the builtins on Object.prototype, potentially causing unintended behavior or denial-of-service security vulnerabilities.
For example, it would be unsafe for a webserver to parse JSON input from a client and call hasOwnProperty directly on the resulting object, because a malicious client could send a JSON value like {"hasOwnProperty": 1} and cause the server to crash.
It's better to always call these methods from Object.prototype. For example, obj.hasOwnProperty("bar") should be replaced with Object.prototype.hasOwnProperty.call(obj, "bar").
Bad Practice
let hasBarProperty = obj.hasOwnProperty("property");
let isPrototypeOfBar = obj.isPrototypeOf(property);
let barIsEnumerable = obj.propertyIsEnumerable("property");
Recommended
let hasBarProperty = Object.prototype.hasOwnProperty.call(obj, "property");
let isPrototypeOfBar = Object.prototype.isPrototypeOf.call(obj, property);
let barIsEnumerable = {}.propertyIsEnumerable.call(obj, "property");