tools: add eslint rule for __proto__: null in object

.eslintrc.js

@@ -111,6 +111,12 @@ module.exports = {
         },
       ] },
     },
+    {
+      files: ['lib/**/*.js', 'lib/**/*.cjs', 'lib/**/*.mjs'],
+      rules: {
+        'node-core/set-proto-to-null-in-object': 'error',
+      },
+    },
   ],
   rules: {
     // ESLint built-in rules

lib/_http_agent.js

@@ -551,5 +551,5 @@ function asyncResetHandle(socket) {
 
 module.exports = {
   Agent,
-  globalAgent: new Agent({ keepAlive: true, scheduling: 'lifo', timeout: 5000 }),
+  globalAgent: new Agent({ __proto__: null, keepAlive: true, scheduling: 'lifo', timeout: 5000 }),
 };

lib/_http_client.js

@@ -146,7 +146,7 @@ function ClientRequest(input, options, cb) {
     cb = options;
     options = input || kEmptyObject;
   } else {
-    options = ObjectAssign(input || {}, options);
+    options = ObjectAssign(input || { __proto__: null }, options);
   }
 
   let agent = options.agent;
@@ -328,7 +328,7 @@ function ClientRequest(input, options, cb) {
 
   let optsWithoutSignal = options;
   if (optsWithoutSignal.signal) {
-    optsWithoutSignal = ObjectAssign({}, options);
+    optsWithoutSignal = ObjectAssign({ __proto__: null }, options);
     delete optsWithoutSignal.signal;
   }
 
@@ -370,19 +370,23 @@ ClientRequest.prototype._finish = function _finish() {
   FunctionPrototypeCall(OutgoingMessage.prototype._finish, this);
   if (hasObserver('http')) {
     startPerf(this, kClientRequestStatistics, {
+      __proto__: null,
       type: 'http',
       name: 'HttpClient',
       detail: {
+        __proto__: null,
         req: {
+          __proto__: null,
           method: this.method,
           url: `${this.protocol}//${this.host}${this.path}`,
-          headers: typeof this.getHeaders === 'function' ? this.getHeaders() : {},
+          headers: typeof this.getHeaders === 'function' ? this.getHeaders() : { __proto__: null },
         },
       },
     });
   }
   if (onClientRequestStartChannel.hasSubscribers) {
     onClientRequestStartChannel.publish({
+      __proto__: null,
       request: this,
     });
   }
@@ -637,6 +641,7 @@ function parserOnIncomingClient(res, shouldKeepAlive) {
     }
     // Send information events to all 1xx responses except 101 Upgrade.
     req.emit('information', {
+      __proto__: null,
       statusCode: res.statusCode,
       statusMessage: res.statusMessage,
       httpVersion: res.httpVersion,
@@ -658,8 +663,11 @@ function parserOnIncomingClient(res, shouldKeepAlive) {
 
   if (req[kClientRequestStatistics] && hasObserver('http')) {
     stopPerf(req, kClientRequestStatistics, {
+      __proto__: null,
       detail: {
+        __proto__: null,
         res: {
+          __proto__: null,
           statusCode: res.statusCode,
           statusMessage: res.statusMessage,
           headers: res.headers,
@@ -669,12 +677,14 @@ function parserOnIncomingClient(res, shouldKeepAlive) {
   }
   if (onClientResponseFinishChannel.hasSubscribers) {
     onClientResponseFinishChannel.publish({
+      __proto__: null,
       request: req,
       response: res,
     });
   }
   if (isTraceHTTPEnabled() && typeof req._traceEventId === 'number') {
     traceEnd(HTTP_CLIENT_TRACE_EVENT_NAME, req._traceEventId, {
+      __proto__: null,
       path: req.path,
       statusCode: res.statusCode,
     });

lib/_http_incoming.js

@@ -55,6 +55,7 @@ function IncomingMessage(socket) {
 
   if (socket) {
     streamOptions = {
+      __proto__: null,
       highWaterMark: socket.readableHighWaterMark,
     };
   }
@@ -111,7 +112,7 @@ ObjectDefineProperty(IncomingMessage.prototype, 'headers', {
   __proto__: null,
   get: function() {
     if (!this[kHeaders]) {
-      this[kHeaders] = {};
+      this[kHeaders] = { __proto__: null };
 
       const src = this.rawHeaders;
       const dst = this[kHeaders];
@@ -131,7 +132,7 @@ ObjectDefineProperty(IncomingMessage.prototype, 'headersDistinct', {
   __proto__: null,
   get: function() {
     if (!this[kHeadersDistinct]) {
-      this[kHeadersDistinct] = {};
+      this[kHeadersDistinct] = { __proto__: null };
 
       const src = this.rawHeaders;
       const dst = this[kHeadersDistinct];
@@ -151,7 +152,7 @@ ObjectDefineProperty(IncomingMessage.prototype, 'trailers', {
   __proto__: null,
   get: function() {
     if (!this[kTrailers]) {
-      this[kTrailers] = {};
+      this[kTrailers] = { __proto__: null };
 
       const src = this.rawTrailers;
       const dst = this[kTrailers];
@@ -171,7 +172,7 @@ ObjectDefineProperty(IncomingMessage.prototype, 'trailersDistinct', {
   __proto__: null,
   get: function() {
     if (!this[kTrailersDistinct]) {
-      this[kTrailersDistinct] = {};
+      this[kTrailersDistinct] = { __proto__: null };
 
       const src = this.rawTrailers;
       const dst = this[kTrailersDistinct];

lib/_http_outgoing.js

@@ -284,7 +284,7 @@ OutgoingMessage.prototype._renderHeaders = function _renderHeaders() {
   }
 
   const headersMap = this[kOutHeaders];
-  const headers = {};
+  const headers = { __proto__: null };
 
   if (headersMap !== null) {
     const keys = ObjectKeys(headersMap);
@@ -368,6 +368,7 @@ OutgoingMessage.prototype._send = function _send(data, encoding, callback, byteL
     } else {
       const header = this._header;
       this.outputData.unshift({
+        __proto__: null,
         data: header,
         encoding: 'latin1',
         callback: null,
@@ -403,7 +404,7 @@ function _writeRaw(data, encoding, callback, size) {
     return conn.write(data, encoding, callback);
   }
   // Buffer, as long as we're not destroyed.
-  this.outputData.push({ data, encoding, callback });
+  this.outputData.push({ __proto__: null, data, encoding, callback });
   this.outputSize += data.length;
   this._onPendingData(data.length);
   return this.outputSize < this[kHighWaterMark];
@@ -415,6 +416,7 @@ function _storeHeader(firstLine, headers) {
   // firstLine in the case of request is: 'GET /index.html HTTP/1.1\r\n'
   // in the case of response it is: 'HTTP/1.1 200 OK\r\n'
   const state = {
+    __proto__: null,
     connection: false,
     contLen: false,
     te: false,

lib/_http_server.js

@@ -111,6 +111,7 @@ const {
 } = require('internal/perf/observe');
 
 const STATUS_CODES = {
+  __proto__: null,
   100: 'Continue',                   // RFC 7231 6.2.1
   101: 'Switching Protocols',        // RFC 7231 6.2.2
   102: 'Processing',                 // RFC 2518 10.1 (obsoleted by RFC 4918)
@@ -210,10 +211,13 @@ function ServerResponse(req, options) {
 
   if (hasObserver('http')) {
     startPerf(this, kServerResponseStatistics, {
+      __proto__: null,
       type: 'http',
       name: 'HttpRequest',
       detail: {
+        __proto__: null,
         req: {
+          __proto__: null,
           method: req.method,
           url: req.url,
           headers: req.headers,
@@ -232,18 +236,22 @@ ObjectSetPrototypeOf(ServerResponse, OutgoingMessage);
 ServerResponse.prototype._finish = function _finish() {
   if (this[kServerResponseStatistics] && hasObserver('http')) {
     stopPerf(this, kServerResponseStatistics, {
+      __proto__: null,
       detail: {
+        __proto__: null,
         res: {
+          __proto__: null,
           statusCode: this.statusCode,
           statusMessage: this.statusMessage,
-          headers: typeof this.getHeaders === 'function' ? this.getHeaders() : {},
+          headers: typeof this.getHeaders === 'function' ? this.getHeaders() : { __proto__: null },
         },
       },
     });
   }
   OutgoingMessage.prototype._finish.call(this);
   if (isTraceHTTPEnabled() && typeof this._traceEventId === 'number') {
     const data = {
+      __proto__: null,
       url: this.req?.url,
       statusCode: this.statusCode,
     };
@@ -530,7 +538,7 @@ function Server(options, requestListener) {
   storeHTTPOptions.call(this, options);
   net.Server.call(
     this,
-    { allowHalfOpen: true, noDelay: options.noDelay ?? true,
+    { __proto__: null, allowHalfOpen: true, noDelay: options.noDelay ?? true,
       keepAlive: options.keepAlive,
       keepAliveInitialDelay: options.keepAliveInitialDelay,
       highWaterMark: options.highWaterMark });
@@ -674,6 +682,7 @@ function connectionListenerInternal(server, socket) {
   }
 
   const state = {
+    __proto__: null,
     onData: null,
     onEnd: null,
     onClose: null,
@@ -961,6 +970,7 @@ function clearIncoming(req) {
 function resOnFinish(req, res, socket, state, server) {
   if (onResponseFinishChannel.hasSubscribers) {
     onResponseFinishChannel.publish({
+      __proto__: null,
       request: req,
       response: res,
       socket,
@@ -1044,6 +1054,7 @@ function parserOnIncoming(server, socket, state, req, keepAlive) {
 
   const res = new server[kServerResponse](req,
                                           {
+                                            __proto__: null,
                                             highWaterMark: socket.writableHighWaterMark,
                                             rejectNonStandardBodyWrites: server.rejectNonStandardBodyWrites,
                                           });
@@ -1057,6 +1068,7 @@ function parserOnIncoming(server, socket, state, req, keepAlive) {
 
   if (onRequestStartChannel.hasSubscribers) {
     onRequestStartChannel.publish({
+      __proto__: null,
       request: req,
       response: res,
       socket,

lib/_tls_wrap.js

@@ -257,6 +257,7 @@ function callALPNCallback(protocolsBuffer) {
   }
 
   const selectedProtocol = socket[kALPNCallback]({
+    __proto__: null,
     servername,
     protocols,
   });
@@ -436,7 +437,7 @@ function onPskClientCallback(hint, maxPskLen, maxIdentityLen) {
     );
   }
 
-  return { psk: ret.psk, identity: ret.identity };
+  return { __proto__: null, psk: ret.psk, identity: ret.identity };
 }
 
 function onkeylog(line) {
@@ -510,7 +511,7 @@ function initRead(tlsSocket, socket) {
  */
 
 function TLSSocket(socket, opts) {
-  const tlsOptions = { ...opts };
+  const tlsOptions = { __proto__: null, ...opts };
   let enableTrace = tlsOptions.enableTrace;
 
   if (enableTrace == null) {
@@ -563,6 +564,7 @@ function TLSSocket(socket, opts) {
   this.encrypted = true;
 
   ReflectApply(net.Socket, this, [{
+    __proto__: null,
     handle: this._wrapHandle(wrap),
     allowHalfOpen: socket ? socket.allowHalfOpen : tlsOptions.allowHalfOpen,
     pauseOnCreate: tlsOptions.pauseOnConnect,
@@ -843,7 +845,7 @@ TLSSocket.prototype._init = function(socket, wrap) {
         'by writing secret key material to file ' + tlsKeylog);
     }
     this.on('keylog', (line) => {
-      appendFile(tlsKeylog, line, { mode: 0o600 }, (err) => {
+      appendFile(tlsKeylog, line, { __proto__: null, mode: 0o600 }, (err) => {
         if (err && warnOnTlsKeylogError) {
           warnOnTlsKeylogError = false;
           process.emitWarning('Failed to write TLS keylog (this warning ' +
@@ -1078,7 +1080,7 @@ TLSSocket.prototype.setSession = function(session) {
 TLSSocket.prototype.getPeerCertificate = function(detailed) {
   if (this._handle) {
     return common.translatePeerCertificate(
-      this._handle.getPeerCertificate(detailed)) || {};
+      this._handle.getPeerCertificate(detailed)) || { __proto__: null };
   }
 
   return null;
@@ -1088,7 +1090,7 @@ TLSSocket.prototype.getCertificate = function() {
   if (this._handle) {
     // It's not a peer cert, but the formatting is identical.
     return common.translatePeerCertificate(
-      this._handle.getCertificate()) || {};
+      this._handle.getCertificate()) || { __proto__: null };
   }
 
   return null;
@@ -1179,6 +1181,7 @@ function onSocketClose(err) {
 function tlsConnectionListener(rawSocket) {
   debug('net.Server.on(connection): new TLSSocket');
   const socket = new TLSSocket(rawSocket, {
+    __proto__: null,
     secureContext: this._sharedCreds,
     isServer: true,
     server: this,
@@ -1437,6 +1440,7 @@ Server.prototype.setSecureContext = function(options) {
   this.privateKeyEngine = options.privateKeyEngine;
 
   this._sharedCreds = tls.createSecureContext({
+    __proto__: null,
     pfx: this.pfx,
     key: this.key,
     passphrase: this.passphrase,
@@ -1464,6 +1468,7 @@ Server.prototype.setSecureContext = function(options) {
 
 Server.prototype._getServerData = function() {
   return {
+    __proto__: null,
     ticketKeys: this.getTicketKeys().toString('hex'),
   };
 };
@@ -1698,6 +1703,7 @@ exports.connect = function connect(...args) {
   const allowUnauthorized = getAllowUnauthorized();
 
   options = {
+    __proto__: null,
     rejectUnauthorized: !allowUnauthorized,
     ciphers: tls.DEFAULT_CIPHERS,
     checkServerIdentity: tls.checkServerIdentity,
@@ -1718,6 +1724,7 @@ exports.connect = function connect(...args) {
   const context = options.secureContext || tls.createSecureContext(options);
 
   const tlssock = new TLSSocket(options.socket, {
+    __proto__: null,
     allowHalfOpen: options.allowHalfOpen,
     pipe: !!options.path,
     secureContext: context,