Require __proto__: null for non-empty dictionary literals, Object.create(null) for empty ones

Agent-Logs-Url: https://github.com/microsoft/rushstack/sessions/39bd15e2-0089-46b6-99ac-4bd914e5ba0a

Co-authored-by: dmichon-msft <26827560+dmichon-msft@users.noreply.github.com>

Author: Copilot

eslint/eslint-plugin/src/null-prototype-dictionaries.ts

@@ -4,20 +4,23 @@
 import type { TSESTree, TSESLint, ParserServices } from '@typescript-eslint/utils';
 import type * as ts from 'typescript';
 
-type MessageIds = 'error-object-literal-dictionary';
+type MessageIds = 'error-empty-object-literal-dictionary' | 'error-missing-null-prototype';
 type Options = [];
 
 const nullPrototypeDictionariesRule: TSESLint.RuleModule<MessageIds, Options> = {
   defaultOptions: [],
   meta: {
     type: 'problem',
     messages: {
-      'error-object-literal-dictionary':
+      'error-empty-object-literal-dictionary':
         'Dictionary objects typed as Record<string, T> should be created using Object.create(null)' +
-        ' instead of an object literal. This avoids prototype pollution, collisions with' +
+        ' instead of an empty object literal. This avoids prototype pollution, collisions with' +
         ' Object.prototype members such as "toString", and enables higher performance since runtimes' +
         ' such as V8 process Object.create(null) as opting out of having a hidden class and going' +
-        ' directly to dictionary mode.'
+        ' directly to dictionary mode.',
+      'error-missing-null-prototype':
+        'Dictionary object literals typed as Record<string, T> should include "__proto__: null"' +
+        ' to avoid prototype pollution and collisions with Object.prototype members such as "toString".'
     },
     schema: [],
     docs: {
@@ -76,10 +79,34 @@ const nullPrototypeDictionariesRule: TSESLint.RuleModule<MessageIds, Options> =
           return;
         }
 
-        if (isStringKeyedDictionaryType(contextualType)) {
+        if (!isStringKeyedDictionaryType(contextualType)) {
+          return;
+        }
+
+        // For empty object literals, recommend Object.create(null) which is more performant
+        if (node.properties.length === 0) {
+          context.report({
+            node,
+            messageId: 'error-empty-object-literal-dictionary'
+          });
+          return;
+        }
+
+        // For non-empty object literals, check whether "__proto__: null" is present
+        const hasNullProto: boolean = node.properties.some(
+          (prop) =>
+            prop.type === 'Property' &&
+            !prop.computed &&
+            ((prop.key.type === 'Identifier' && prop.key.name === '__proto__') ||
+              (prop.key.type === 'Literal' && prop.key.value === '__proto__')) &&
+            prop.value.type === 'Literal' &&
+            prop.value.value === null
+        );
+
+        if (!hasNullProto) {
           context.report({
             node,
-            messageId: 'error-object-literal-dictionary'
+            messageId: 'error-missing-null-prototype'
           });
         }
       }

eslint/eslint-plugin/src/test/null-prototype-dictionaries.test.ts

@@ -13,37 +13,46 @@ ruleTester.run('null-prototype-dictionaries', nullPrototypeDictionariesRule, {
     {
       // Empty object literal assigned to Record<string, number>
       code: 'const dict: Record<string, number> = {};',
-      errors: [{ messageId: 'error-object-literal-dictionary' }]
+      errors: [{ messageId: 'error-empty-object-literal-dictionary' }]
     },
     {
       // Empty object literal assigned to index signature type
       code: 'const dict: { [key: string]: number } = {};',
-      errors: [{ messageId: 'error-object-literal-dictionary' }]
-    },
-    {
-      // Non-empty object literal assigned to Record type
-      code: 'const dict: Record<string, string> = { a: "hello" };',
-      errors: [{ messageId: 'error-object-literal-dictionary' }]
+      errors: [{ messageId: 'error-empty-object-literal-dictionary' }]
     },
     {
       // Reassignment to empty object literal
       code: [
         'let dict: Record<string, number>;',
         'dict = {};'
       ].join('\n'),
-      errors: [{ messageId: 'error-object-literal-dictionary' }]
+      errors: [{ messageId: 'error-empty-object-literal-dictionary' }]
     },
     {
       // Return value from function
       code: 'function f(): Record<string, number> { return {}; }',
-      errors: [{ messageId: 'error-object-literal-dictionary' }]
+      errors: [{ messageId: 'error-empty-object-literal-dictionary' }]
+    },
+    {
+      // Non-empty object literal without __proto__: null
+      code: 'const dict: Record<string, string> = { a: "hello" };',
+      errors: [{ messageId: 'error-missing-null-prototype' }]
+    },
+    {
+      // Non-empty object literal with __proto__ set to something other than null
+      code: 'const dict: Record<string, string> = { __proto__: Object.prototype, a: "hello" };',
+      errors: [{ messageId: 'error-missing-null-prototype' }]
     }
   ],
   valid: [
     {
-      // Correct pattern: Object.create(null) for dictionary
+      // Correct pattern: Object.create(null) for empty dictionary
       code: 'const dict: Record<string, number> = Object.create(null);'
     },
+    {
+      // Correct pattern: non-empty literal with __proto__: null
+      code: 'const dict: Record<string, string> = { __proto__: null, a: "hello" };'
+    },
     {
       // Regular object type with named properties (not a dictionary)
       code: 'const obj: { name: string } = { name: "hello" };'