Detects "variable[key]" as a left- or right-hand assignment operand (`security/detect-object-injection`)

⚠️ This rule warns in the ✅ recommended config.

JavaScript allows you to use expressions to access object properties in addition to using dot notation. So instead of writing this:

object.name = 'foo';

You can write this:

object['name'] = 'foo';

Square bracket notation allows any expression to be used in place of an identifier, so you can also do this:

const key = 'name';
object[key] = 'foo';

By doing so, you've now obfuscated the property name from the reader, which makes it easy for a malicious actor to replace the value of key and change the behavior of the code.

This rule flags any expression in the form of object[expression] no matter where it occurs. Examples of patterns this will be flagged are:

object[key] = value;

value = object[key];

doSomething(object[key]);

More information: The Dangers of Square Bracket Notation

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

detect-object-injection.md

detect-object-injection.md

Detects "variable[key]" as a left- or right-hand assignment operand (`security/detect-object-injection`)

Files

detect-object-injection.md

Latest commit

History

detect-object-injection.md

File metadata and controls

Detects "variable[key]" as a left- or right-hand assignment operand (security/detect-object-injection)

Detects "variable[key]" as a left- or right-hand assignment operand (`security/detect-object-injection`)