refactor: use Object.create(null) for all user input keys.

lib/http/base.js

@@ -143,7 +143,7 @@ HTTPBase.prototype._initRouter = function _initRouter() {
         if (!match)
           return next();
 
-        req.params = {};
+        req.params = Object.create(null);
 
         for (j = 0; j < match.length; j++) {
           item = match[j];
@@ -592,7 +592,7 @@ function parseBody(req, callback) {
   var total = 0;
   var body = '';
 
-  req.body = {};
+  req.body = Object.create(null);
 
   if (req.method === 'GET')
     return callback();
@@ -629,7 +629,7 @@ function parseBody(req, callback) {
 
 function parsePairs(str, limit) {
   var parts = str.split('&');
-  var data = {};
+  var data = Object.create(null);
   var i, index, pair, key, value;
 
   assert(!limit || parts.length <= limit, 'Too many keys in querystring.');
@@ -665,7 +665,7 @@ function parsePairs(str, limit) {
 function parsePath(req, limit) {
   var uri = URL.parse(req.url);
   var pathname = uri.pathname;
-  var query = {};
+  var query = Object.create(null);
   var path, parts, url;
 
   if (pathname) {
@@ -721,7 +721,7 @@ function parsePath(req, limit) {
   req.pathname = pathname;
   req.path = parts;
   req.query = query;
-  req.params = {};
+  req.params = Object.create(null);
 }
 
 function unescape(str) {

lib/http/server.js

@@ -203,13 +203,13 @@ HTTPServer.prototype._init = function _init() {
     var i, params, options, censored, output, address;
 
     if (req.method === 'POST' && req.pathname === '/') {
-      req.options = {};
+      req.options = Object.create(null);
       return next();
     }
 
-    params = {};
-    options = {};
-    censored = {};
+    params = Object.create(null);
+    options = Object.create(null);
+    censored = Object.create(null);
 
     softMerge(params, req.params, true);
     softMerge(params, req.query, true);

lib/node/config.js

@@ -43,8 +43,8 @@ config.alias = {
  */
 
 config.parse = function parse(options) {
-  var data = {};
-  var raw = {};
+  var data = Object.create(null);
+  var raw = Object.create(null);
   var arg, conf, prefix, filename, dirname;
 
   if (!options)
@@ -267,7 +267,7 @@ config.readAuth = function readAuth(file) {
  */
 
 config.parseConfig = function parseConfig(text, prefix, dirname) {
-  var data = {};
+  var data = Object.create(null);
   var i, parts, line, key, value, eq, col, alias;
 
   assert(typeof text === 'string', 'Config must be text.');
@@ -405,7 +405,7 @@ config.parseArg = function parseArg(argv) {
  */
 
 config.parseEnv = function parseEnv(env) {
-  var data = {};
+  var data = Object.create(null);
   var i, keys, key, value, alias;
 
   if (!env)
@@ -481,7 +481,7 @@ config.parseHash = function parseHash(hash) {
  */
 
 config.parseForm = function parseForm(query) {
-  var data = {};
+  var data = Object.create(null);
   var i, parts, index, pair, key, value, alias;
 
   assert(typeof query === 'string');
@@ -535,7 +535,7 @@ config.parseForm = function parseForm(query) {
 
 config.parseKnown = function parseKnown(text) {
   var lines = text.split(/\n+/);
-  var map = {};
+  var map = Object.create(null);
   var i, line, parts, hostname, host, ip, key;
 
   for (i = 0; i < lines.length; i++) {

lib/utils/lock.js

@@ -236,7 +236,7 @@ Lock.prototype.destroy = function destroy() {
 
   this.busy = false;
   this.jobs.length = 0;
-  this.map = {};
+  this.map = Object.create(null);
   this.pending = 0;
   this.current = null;
 
@@ -387,8 +387,8 @@ MappedLock.prototype.destroy = function destroy() {
 
   this.destroyed = true;
 
-  this.jobs = {};
-  this.busy = {};
+  this.jobs = Object.create(null);
+  this.busy = Object.create(null);
 
   for (i = 0; i < keys.length; i++) {
     key = keys[i];