Description
Since the data validated by this library often is user provided input, I think we should consider it "unsafe". Instead of using hasOwnProperty directly on input objects, I think it would be better to make sure that we are actually using the builtin method hasOwnProperty instead of the one on the provided object.
This simple input from the user currently causes an error: { hasOwnProperty: 'hello' }.
This could be fixed by changing the use of hasOwnProperty to use an already defined function. E.g.
function hasOwnProperty (obj, prop) {
return Object.prototype.hasOwnProperty.call(obj, prop)
}
// Instead of this:
input.hasOwnProperty(schema.key)
// We us this:
hasOwnProperty(input, schema.key)This would also have the benefit of being able to validate objects without a prototype (e.g. created by Object.create(null)). This objects are usually used when you want to use a hash map, which I also think that the input to this library usually is.
You can read more on why you shouldn't use a normal js object as a hash map here: Blog post by Guillermo Rauch, Article on 2ality
In multer, an express middleware for accepting multipart forms, we provide the data with an prototype-less object. This lead one of our users to report expressjs/multer#171 to us, which would be solved by this.