1

Given the risk of prototype-pollution in JavaScript,

In case I can't freeze/seal the built-in Function()'s prototype, or some of it's parents in the prototype-chain (eg Object()'s),

can I use arrow-functions, in order to guarantee it's execution/calls to be straight-forward, without the chance for Proxy()'ies, side-effects of hooks, or any other kind of manipulation possible due to pollution of regular functions?

From this SO answer (which was marked as a forwarding answer to a duplicated question to mine, that has no answer) I can't understand if it's guaranteed that arrow-functions are not prototyped, by standard or by de-facto implementations.

In Mozilla's MDN page, I found no mentions to a prototype of Arrow-Functions.

My goal is to restrict some critical logic, to make its execution safe from any possible modification, differing, injected side-effects, monitoring, wrapping, triggering of events, and more. * (And maybe even debugging, if possible, but it's maybe for another question).

Cocktail
  • 19
  • 5
  • 1
    What do you mean by "straight-forward"? Do you have any code that demonstrates an issue? – Unmitigated Feb 01 '23 at 00:16
  • 1
    A `Proxy` doesn't change the behaviour of the original object. Similarly, functions do not depend on any of their properties, unless the function's body itself references them; there are no hooks that execute automatically, unless the function explicitly calls them. The "pollution" danger is in replacing methods that a function depends on, not in modifying the function object itself. For example, if `foo` calls `Math.sin`, no modification to `foo` properties will affect it; but if you replace `Math.sin` with e.g. `Math.sin = function(x) { return 42 }`, that will mess it up. – Amadan Feb 01 '23 at 00:32
  • "*in order to guarantee it's execution/calls to be straight-forward, without the change for `Proxy()'its, side-effects of hooks, or any other kind of manipulation possible due to pollution of regular functions?*" - this does not make sense. Regular functions are not subject to prototype pollution any more or less than arrow functions. Just call them, there is no way a polluted prototype can intercept that. – Bergi Feb 01 '23 at 02:28
  • @Amadan it was a typo. I mean "chance for proxies" and not "changes of proxies", sorry, fixed – Cocktail Feb 01 '23 at 17:20
  • @Bergi why not? I can't modify the Function object in some environments or hosts? Or even the inner Object one? – Cocktail Feb 01 '23 at 17:21
  • @Cocktail Basically see Adaman's reasoning. You cannot mutate what a function does. And modifying/overwriting `Function` or `Function.prototype` does not at all affect function calls. It just doesn't matter. What matter is if someone replaces the functions in the variables/properties that you are calling. – Bergi Feb 01 '23 at 17:38

1 Answers1

3

Yes, it does and it's easy to check:

const boo = () => {};

function hoo() {}

console.log(Object.getPrototypeOf(boo) === Object.getPrototypeOf(hoo)); // true
Bergi
  • 630,263
  • 148
  • 957
  • 1,375
Robo Robok
  • 21,132
  • 17
  • 68
  • 126