How to avoid prototype pollution in javascript?

Question

In javascript, it's possible to "override" properties or methods of Object.prototype. For example:

Object.prototype.toString = function(){
  return "some string";
};

It can break an entire application if not used carefully. Are there any tools, techniques or approaches to avoid this (for example, some kind of 'strict mode' that doesn't allow the developer to override properties of Object)?

`Object.freeze(Object.prototype)` will help, but again.. don't know how much pollution it will create — Koushik Chatterjee, Jul 22 '17 at 17:21
A good read for anyone that lands on this question: https://esdiscuss.org/topic/object-freeze-object-prototype-vs-reality — Ray Toal, Jul 22 '17 at 17:28
@RayToal: **Fantastic** link, I've added it to the CW answer below. — T.J. Crowder, Jul 22 '17 at 17:30
See [here](https://stackoverflow.com/q/13296340/1048572) on how to do this carefully and not break applications — Bergi, Jul 22 '17 at 18:01

score 7 · Accepted Answer · answered Jul 22 '17 at 17:28

7

Object.freeze(YourConstructor.prototype) can help protect your constructor's associated prototype object from being mucked with. From MDN:

The Object.freeze() method freezes an object: that is, prevents new properties from being added to it; prevents existing properties from being removed; and prevents existing properties, or their enumerability, configurability, or writability, from being changed, it also prevents the prototype from being changed.

It works on the object itself, rather than making a copy that's frozen. It returns the same reference you pass it.

It's best to leave built-in prototypes alone, so using it on Object.prototype and such may not be a great idea. :-) Certainly you'd need to do a lot of testing if you did... See this thread on the es-discuss mailing list for relevant, useful info.

answered Jul 22 '17 at 17:28

T.J. Crowder

1,031,962
187
1,923
1,875

hmm, but a simple thing I want to add (or may be ask), what is the point of doing this if some attack de-refer the `Object` itself? – Koushik Chatterjee Jul 22 '17 at 17:43
2

@KoushikChatterjee These techniques only can help to prevent third parties from *accidentally* breaking your application. They never can *secure* it against an attacker. If you have anyone run unrestricted code on your page, you've already lost. – Bergi Jul 22 '17 at 18:09
+1 because you can lock your doors but you can't put bear traps in your own house, that's not how security works. – Cookie Jul 22 '17 at 20:40
@Bergi yeah that's the conceptual stuff about `XSS` , but the point of my comment was, is there any way further to prevent that (though we know, preventing XSS is not at all a good idea because its already too late) – Koushik Chatterjee Jul 23 '17 at 10:51

How to avoid prototype pollution in javascript?

1 Answers1