Provide secure alternatives for functions that can be effected by prototype pollution
splitOnChar(str: string, delimiter?: string): string[]
- Splits a string into an array of substrings using a single-character delimiter.
- Does not rely on String.prototype.split
- Validates inputs strictly
- Resistant to prototype pollution and method overrides
| Name | Type | Required | Description |
|---|---|---|---|
str |
string |
yes | The input string to split |
delimiter |
string |
no | Single character delimiter (default: '.') |
string[] — array of substrings
- TypeError if str is not a string
- TypeError if delimiter is not a single-character string
safeIndexOf(arr: T[], searchElement: T): number
Secure alternative for Array.prototype.indexOf() which gives index of element if it is in array else returns -1
| Name | Type | Required | Description |
|---|---|---|---|
arr |
Array<T> |
yes | Array to search |
searchElement |
T |
yes | Element to locate |
number — index of the element, or -1 if not found
TypeError if arr is not an array
StringSafeIndexOf(haystack: string, needle: string): number
- Searches for the first occurrence of a substring within a string.
- Does not rely on String.prototype.indexOf or any other built-in string methods.
- Performs a manual character-by-character comparison.
- Avoids implicit type coercion.
- Resistant to prototype pollution and method overrides.
- Safe to use in hostile or partially polluted JavaScript runtimes.
| Name | Type | Required | Description |
|---|---|---|---|
haystack |
string |
yes | The string to search within |
needle |
string |
yes | The substring to search for |
number — the zero-based index of the first occurrence of needle, or -1 if not found.
None (Invalid inputs are handled safely and return -1.)
RegexSafeTest(regex: RegExp, input: string): boolean
- Tests whether a regular expression matches a string.
- Does not rely on
RegExp.prototype.test, avoiding user-land overrides. - Executes the match using the native V8 RegExp engine via a compiled Node.js addon.
- Validates inputs strictly before execution.
- Resistant to prototype pollution, method overrides, and monkey-patching of RegExp.prototype.
Currently works only for Node v24 (Active LTS version)
| Name | Type | Required | Description |
|---|---|---|---|
regex |
RegExp |
yes | Regular expression to test |
input |
string |
yes | String against which the regex is evaluated |
boolean — true if the regular expression matches the input string, otherwise false.
- TypeError if regex is not a RegExp object
- TypeError if input is not a string
- Error if the native addon is unavailable on the current platform
ObjectHasOwnProperty(obj: object | null | undefined, prop: string | symbol): boolean
- Determines whether an object has a property as its own property, without checking inherited properties.
- Does not rely on Object.prototype.hasOwnProperty, making it resistant to prototype pollution and method overrides.
- Checks both string and symbol properties.
- Safe to use on objects in hostile or partially polluted JavaScript runtimes.
- Handles null and undefined safely, returning false instead of throwing.
| Name | Type | Required | Description |
|---|---|---|---|
obj |
object | null | undefined |
yes | The object to inspect |
prop |
string | symbol |
yes | The property name or symbol to check for |
boolean — true if the object has the property as its own property; otherwise false.
None — invalid inputs such as null or undefined are handled safely.
- Resistant to prototype pollution attacks, such as modifying Object.prototype.hasOwnProperty.
- Safe when globals like Object.getOwnPropertyNames or Object.getOwnPropertySymbols are overridden.
- Can be safely used in environments where objects or globals may be partially polluted.