Add null-prototype-dictionaries rule enforcing Object.create(null) for Record types

Copilot · dmichon-msft · web-flow · commit 602a68b8a407 · 2026-04-07T22:57:44.000Z
Agent-Logs-Url: https://github.com/microsoft/rushstack/sessions/88c04cb4-f442-4fe2-8991-6a20aa3c6f9b Co-authored-by: dmichon-msft <26827560+dmichon-msft@users.noreply.github.com>
diff --git a/eslint/eslint-plugin/src/index.ts b/eslint/eslint-plugin/src/index.ts
@@ -8,6 +8,7 @@ import { noBackslashImportsRule } from './no-backslash-imports';
 import { noExternalLocalImportsRule } from './no-external-local-imports';
 import { noNewNullRule } from './no-new-null';
 import { noNullRule } from './no-null';
+import { nullPrototypeDictionariesRule } from './null-prototype-dictionaries';
 import { noTransitiveDependencyImportsRule } from './no-transitive-dependency-imports';
 import { noUntypedUnderscoreRule } from './no-untyped-underscore';
 import { normalizedImportsRule } from './normalized-imports';
@@ -36,6 +37,9 @@ const plugin: IPlugin = {
     // Full name: "@rushstack/no-null"
     'no-null': noNullRule,
 
+    // Full name: "@rushstack/null-prototype-dictionaries"
+    'null-prototype-dictionaries': nullPrototypeDictionariesRule,
+
     // Full name: "@rushstack/no-transitive-dependency-imports"
     'no-transitive-dependency-imports': noTransitiveDependencyImportsRule,
 
diff --git a/eslint/eslint-plugin/src/null-prototype-dictionaries.ts b/eslint/eslint-plugin/src/null-prototype-dictionaries.ts
@@ -0,0 +1,90 @@
+// Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
+// See LICENSE in the project root for license information.
+
+import type { TSESTree, TSESLint, ParserServices } from '@typescript-eslint/utils';
+import type * as ts from 'typescript';
+
+type MessageIds = 'error-object-literal-dictionary';
+type Options = [];
+
+const nullPrototypeDictionariesRule: TSESLint.RuleModule<MessageIds, Options> = {
+  defaultOptions: [],
+  meta: {
+    type: 'problem',
+    messages: {
+      'error-object-literal-dictionary':
+        'Dictionary objects typed as Record<string, T> should be created using Object.create(null)' +
+        ' instead of an object literal. This avoids prototype pollution, collisions with' +
+        ' Object.prototype members such as "toString", and enables higher performance since runtimes' +
+        ' such as V8 process Object.create(null) as opting out of having a hidden class and going' +
+        ' directly to dictionary mode.'
+    },
+    schema: [],
+    docs: {
+      description:
+        'Enforce that objects typed as string-keyed dictionaries (Record<string, T>) are instantiated' +
+        ' using Object.create(null) instead of object literals, to avoid prototype pollution issues,' +
+        ' collisions with Object.prototype members such as "toString", and for higher performance' +
+        ' since runtimes such as V8 process Object.create(null) as opting out of having a hidden' +
+        ' class and going directly to dictionary mode',
+      recommended: 'strict',
+      url: 'https://www.npmjs.com/package/@rushstack/eslint-plugin'
+    } as TSESLint.RuleMetaDataDocs
+  },
+  create: (context: TSESLint.RuleContext<MessageIds, Options>) => {
+    const parserServices: Partial<ParserServices> | undefined =
+      context.sourceCode?.parserServices ?? context.parserServices;
+    if (!parserServices || !parserServices.program || !parserServices.esTreeNodeToTSNodeMap) {
+      throw new Error(
+        'This rule requires your ESLint configuration to define the "parserOptions.project"' +
+          ' property for "@typescript-eslint/parser".'
+      );
+    }
+
+    const typeChecker: ts.TypeChecker = parserServices.program.getTypeChecker();
+
+    /**
+     * Checks whether the given type represents a pure string-keyed dictionary type:
+     * it has a string index signature and no named properties.
+     */
+    function isStringKeyedDictionaryType(type: ts.Type): boolean {
+      // Check if the type has a string index signature
+      if (!type.getStringIndexType()) {
+        return false;
+      }
+
+      // A pure dictionary type has no named properties - only an index signature.
+      // Types with named properties (like interfaces with extra index signatures)
+      // are not considered pure dictionaries.
+      if (type.getProperties().length > 0) {
+        return false;
+      }
+
+      return true;
+    }
+
+    return {
+      ObjectExpression(node: TSESTree.ObjectExpression): void {
+        const tsNode: ts.Node = parserServices.esTreeNodeToTSNodeMap!.get(node);
+
+        // Get the contextual type (the type expected by the surrounding context,
+        // e.g. from a variable declaration's type annotation)
+        const contextualType: ts.Type | undefined = typeChecker.getContextualType(
+          tsNode as ts.Expression
+        );
+        if (!contextualType) {
+          return;
+        }
+
+        if (isStringKeyedDictionaryType(contextualType)) {
+          context.report({
+            node,
+            messageId: 'error-object-literal-dictionary'
+          });
+        }
+      }
+    };
+  }
+};
+
+export { nullPrototypeDictionariesRule };
diff --git a/eslint/eslint-plugin/src/test/null-prototype-dictionaries.test.ts b/eslint/eslint-plugin/src/test/null-prototype-dictionaries.test.ts
@@ -0,0 +1,74 @@
+// Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
+// See LICENSE in the project root for license information.
+
+import type { RuleTester } from '@typescript-eslint/rule-tester';
+
+import { getRuleTesterWithProject } from './ruleTester';
+import { nullPrototypeDictionariesRule } from '../null-prototype-dictionaries';
+
+const ruleTester: RuleTester = getRuleTesterWithProject();
+
+ruleTester.run('null-prototype-dictionaries', nullPrototypeDictionariesRule, {
+  invalid: [
+    {
+      // Empty object literal assigned to Record<string, number>
+      code: 'const dict: Record<string, number> = {};',
+      errors: [{ messageId: 'error-object-literal-dictionary' }]
+    },
+    {
+      // Empty object literal assigned to index signature type
+      code: 'const dict: { [key: string]: number } = {};',
+      errors: [{ messageId: 'error-object-literal-dictionary' }]
+    },
+    {
+      // Non-empty object literal assigned to Record type
+      code: 'const dict: Record<string, string> = { a: "hello" };',
+      errors: [{ messageId: 'error-object-literal-dictionary' }]
+    },
+    {
+      // Reassignment to empty object literal
+      code: [
+        'let dict: Record<string, number>;',
+        'dict = {};'
+      ].join('\n'),
+      errors: [{ messageId: 'error-object-literal-dictionary' }]
+    },
+    {
+      // Return value from function
+      code: 'function f(): Record<string, number> { return {}; }',
+      errors: [{ messageId: 'error-object-literal-dictionary' }]
+    }
+  ],
+  valid: [
+    {
+      // Correct pattern: Object.create(null) for dictionary
+      code: 'const dict: Record<string, number> = Object.create(null);'
+    },
+    {
+      // Regular object type with named properties (not a dictionary)
+      code: 'const obj: { name: string } = { name: "hello" };'
+    },
+    {
+      // No explicit dictionary type annotation
+      code: 'const obj = {};'
+    },
+    {
+      // Record with literal union key type resolves to named properties, not a dictionary
+      code: 'const obj: Record<"a" | "b", number> = { a: 1, b: 2 };'
+    },
+    {
+      // Interface with named properties AND index signature is not a pure dictionary
+      code: [
+        'interface IExtended { name: string; [key: string]: string }',
+        'const obj: IExtended = { name: "hello" };'
+      ].join('\n')
+    },
+    {
+      // Non-object-literal initializer is fine
+      code: [
+        'function getDict(): Record<string, number> { return Object.create(null); }',
+        'const dict: Record<string, number> = getDict();'
+      ].join('\n')
+    }
+  ]
+});
