1

In our angular project the ESLint shout:

"Detects variable[key] as a left- or right-hand assignment operand."

It is detect-object-injection rule. And says that:

//Bad:
variable[key] = value;

And as a proof provide the following link with description.

I'm not going to start to argue that this rule is sucks.

But I'm interested how to fix it. The link about has the solution:

The most direct fix here is going to be to avoid the use of user input in property name fields. This isn't reasonable in all circumstances, however, and there should be a way to safely use core language features.

Another option is to create a whitelist of allowed property names, and filter each user input through a helper function to check before allowing it to be used. This is a great option in situations where you know specifically what property names to allow.

In cases where you don't have a strictly defined data model ( which isn't ideal, but there are cases where it has to be so ) then using the same method as above, but with a blacklist of disallowed properties instead is a valid choice.

So the first option "do not use it" is not acceptable as my key is dynamic and the bracket notation is the only way to access the property.

The second solution is also is not suite for me as I don't have and cannot create a whitelist of allowed property names.

So the last option which I have is to use a blacklist of disallowed properties. But the question is: where to take this blacklist and how to apply it? It doesn't have an example and I'm interested how to properly implement it in Angular.

Thanks in advance!

UPDATE: As my question is not totally clear, I'll explain one more time.

The code I have is:

someObject[someDynamicKey] = 'someValue';

The problem that the eslint treat this line as bad. Because of setting the object property by Square Bracket Notation. EsLint says that it's dangerous. So I ask how should we do if the is no possibility to access the object property with dot notation? Examples? Thanks!

Explanation why Square Bracket Notation is Dangers according to ESLint.

Experimenter
  • 2,084
  • 1
  • 19
  • 26
  • How about leveraging `keyof` typescript – brk Mar 09 '22 at 12:47
  • @brk do you propose to make `keyof` of object prototype and then use it as a blacklist? – Experimenter Mar 09 '22 at 12:58
  • You are not showing enough of the code for us to be able to make meaningful suggestions. – Ruan Mendes Mar 09 '22 at 14:57
  • @JuanMendes the whole code is `someObject[someKey] = 'value';` - the eslint complain that setting the object key value accessing it with bracket notation is bad and we should not do that. So I ask how should we do. – Experimenter Mar 09 '22 at 15:29
  • @Experimenter No, the whole code would contain enough code making sure there are no undefined variables, such as `someObject` and `someKey`. I realize this line by itself is enough to trigger the eslint error but it's not enough for us to know why you need dynamic properties. Please see https://stackoverflow.com/help/minimal-reproducible-example – Ruan Mendes Mar 09 '22 at 15:55

2 Answers2

1

It looks like you are using an object as a key/value store, which is usually associated with a Map.

Use a map instead since it won't be touching object properties and the keys will not collide with an object's native properties.

const variable = new Map();
...

variable.set(key, value);
Ruan Mendes
  • 90,375
  • 31
  • 153
  • 217
  • Hello, thanks. No the problem not it that. I have update the question. The problem is that EsLint complain that accessing object property by "Square Bracket Notation" is a bad idea at all and we should stick to dot notation. But what if there is no way to access the object property by dot notation? What should we do in that case, examples? I know this is sounds strange, but that what eslint complain. https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/the-dangers-of-square-bracket-notation.md – Experimenter Mar 09 '22 at 15:41
  • @Experimenter I don't understand what you mean. I'm suggesting you use a `Map` instead of a plain JS object. It does not sound strange to me. You seem to not fully understand why the rule exists. As I've explained, if you are using an object with brackets access, it's likely that you should be using a Map instead. – Ruan Mendes Mar 09 '22 at 15:50
  • @Experimenter Did you even try my suggestion? Your response would be more useful if you explained why you can't use the solution and updated your question to include such information for others. – Ruan Mendes Mar 09 '22 at 15:56
0

Sometimes you need to answer your own question: https://stackoverflow.com/a/73641926/4079915

In general this rule is not supposed to be used in CI or any other automation checks as it works incorrectly at this time: https://github.com/nodesecurity/eslint-plugin-security/issues/21

Experimenter
  • 2,084
  • 1
  • 19
  • 26