[security] Generic Object Injection Sink

[DerekNonGeneric]

Codacy detected an issue:

Message: Generic Object Injection Sink

Currently on:

• Commit: b978219
• File: src/index.ts
• LineNum: 135

[DerekNonGeneric]

Refs: https://github.com/nodesecurity/eslint-plugin-security#detect-object-injection

[DerekNonGeneric]

As a potential solution, the initProperty function can be used to get us partially there. The initProperty function and friends, however, should be useful as a solution for the specific problem of “Object Injection Sink” as it appears throughout the rest of the codebase as well.

As noted by ljharb, the implementation of omit can actually be implemented using:

• the Object fromEntries method
• the Object entries method
• the Array filter method
• the Array includes method

ljharb: for omit tho, there's a lot better ways to implement it like function omit(obj, keys) { return Object.fromEntries(Object.entries(obj).filter(([k]) => !keys.includes(k))); }

Performance can be a deciding factor on what the implementation should look like here as it is related to #27.

---

Notably, the for...in loop enumerates properties in the prototype chain as well.¹ This can be used to dynamically create the list of disallowed property keys by using an Object literal (available via syntax {}) as input (as opposed to a POJO, which normally has a null prototype available via new Object(null)).

Footnotes

1. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/entries ↩

[DerekNonGeneric]

Reopening as would like to see this tested…

Also, [potentially] returning the originally-passed object as mutated.