noPrototypeBuiltins
¥Summary
-
规则生效日期:
v1.1.0¥Rule available since:
v1.1.0 -
诊断类别:
lint/suspicious/noPrototypeBuiltins¥Diagnostic Category:
lint/suspicious/noPrototypeBuiltins -
此规则为推荐规则,默认启用。
¥This rule is recommended, which means is enabled by default.
-
此规则包含 safe 修复程序。
¥This rule has a safe fix.
-
此规则的默认严重级别为 warning。
¥The default severity of this rule is warning.
-
来源:
¥Sources:
-
¥Same as
no-prototype-builtins -
¥Same as
prefer-object-has-own
-
¥How to configure
{ "linter": { "rules": { "suspicious": { "noPrototypeBuiltins": "error" } } }}¥Description
禁止直接使用 Object.prototype 内置函数。
¥Disallow direct use of Object.prototype builtins.
ECMAScript 5.1 添加了 Object.create,允许创建具有自定义原型的对象。此模式通常用于用作地图的对象。但是,如果其他东西依赖于原型属性/方法,则此模式可能会导致错误。此外,方法可能会被隐藏,这可能导致随机错误和拒绝服务漏洞。例如,像 {"hasOwnProperty": 1} 一样直接在解析的 JSON 上调用 hasOwnProperty 可能会导致漏洞。为了避免出现此类细微错误,你应该从 Object.prototype 调用这些方法。例如,foo.isPrototypeOf(bar) 应该替换为 Object.prototype.isPrototypeOf.call(foo, "bar") 至于 hasOwn 方法,foo.hasOwn("bar") 应该替换为 Object.hasOwn(foo, "bar")。
¥ECMAScript 5.1 added Object.create which allows the creation of an object with a custom prototype.
This pattern is often used for objects used as Maps. However, this pattern can lead to errors
if something else relies on prototype properties/methods.
Moreover, the methods could be shadowed, this can lead to random bugs and denial of service
vulnerabilities. For example, calling hasOwnProperty directly on parsed JSON like {"hasOwnProperty": 1} could lead to vulnerabilities.
To avoid subtle bugs like this, you should call these methods from Object.prototype.
For example, foo.isPrototypeOf(bar) should be replaced with Object.prototype.isPrototypeOf.call(foo, "bar")
As for the hasOwn method, foo.hasOwn("bar") should be replaced with Object.hasOwn(foo, "bar").
¥Examples
¥Invalid
var invalid = foo.hasOwnProperty("bar");code-block.js:1:19 lint/suspicious/noPrototypeBuiltins FIXABLE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠ Do not access Object.prototype method ‘hasOwnProperty’ from target object.
> 1 │ var invalid = foo.hasOwnProperty(“bar”);
│ ^^^^^^^^^^^^^^
2 │
ℹ It’s recommended using Object.hasOwn() instead of using Object.hasOwnProperty().
ℹ See MDN web docs for more details.
ℹ Safe fix: Use ‘Object.hasOwn()’ instead.
1 │ - var·invalid·=·foo.hasOwnProperty(“bar”);
1 │ + var·invalid·=·Object.hasOwn(foo,·“bar”);
2 2 │
var invalid = foo.isPrototypeOf(bar);code-block.js:1:19 lint/suspicious/noPrototypeBuiltins ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠ Do not access Object.prototype method ‘isPrototypeOf’ from target object.
> 1 │ var invalid = foo.isPrototypeOf(bar);
│ ^^^^^^^^^^^^^
2 │
var invalid = foo.propertyIsEnumerable("bar");code-block.js:1:19 lint/suspicious/noPrototypeBuiltins ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠ Do not access Object.prototype method ‘propertyIsEnumerable’ from target object.
> 1 │ var invalid = foo.propertyIsEnumerable(“bar”);
│ ^^^^^^^^^^^^^^^^^^^^
2 │
Object.hasOwnProperty.call(foo, "bar");code-block.js:1:1 lint/suspicious/noPrototypeBuiltins FIXABLE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
⚠ Do not access Object.prototype method ‘hasOwnProperty’ from target object.
> 1 │ Object.hasOwnProperty.call(foo, “bar”);
│ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2 │
ℹ It’s recommended using Object.hasOwn() instead of using Object.hasOwnProperty().
ℹ See MDN web docs for more details.
ℹ Safe fix: Use ‘Object.hasOwn()’ instead.
1 │ - Object.hasOwnProperty.call(foo,·“bar”);
1 │ + Object.hasOwn(foo,·“bar”);
2 2 │
¥Valid
var valid = Object.hasOwn(foo, "bar");var valid = Object.prototype.isPrototypeOf.call(foo, bar);var valid = {}.propertyIsEnumerable.call(foo, "bar");¥Related links
Biome v2.1 中文网 - 粤ICP备13048890号