From a2348c8514ac2b4a4f4a96b3218199cc13d9ac46 Mon Sep 17 00:00:00 2001
From: Evan Hahn <me@evanhahn.com>
Date: Thu, 17 Mar 2022 12:34:13 -0500
Subject: [PATCH] Use object with null prototype for various app properties

`app.cache`, `app.engines`, and `app.settings` are now created with
`Object.create(null)` instead of `{}`.

This also adds a test that `app.locals` is created the same way.
---
 lib/application.js |  6 +++---
 test/app.locals.js | 18 ++++++++++++------
 2 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/lib/application.js b/lib/application.js
index ae050c9fa1..cd9479ccfe 100644
--- a/lib/application.js
+++ b/lib/application.js
@@ -54,9 +54,9 @@ var trustProxyDefaultSymbol = '@@symbol:trust_proxy_default';
 app.init = function init() {
   var router = null;
 
-  this.cache = {};
-  this.engines = {};
-  this.settings = {};
+  this.cache = Object.create(null);
+  this.engines = Object.create(null);
+  this.settings = Object.create(null);
 
   this.defaultConfiguration();
 
diff --git a/test/app.locals.js b/test/app.locals.js
index d8bfb5a987..2241ff7fa2 100644
--- a/test/app.locals.js
+++ b/test/app.locals.js
@@ -1,16 +1,22 @@
 
+var assert = require('assert');
 var express = require('../')
 
 describe('app', function(){
   describe('.locals(obj)', function(){
     it('should merge locals', function(){
       var app = express();
-      Object.keys(app.locals).should.eql(['settings']);
+      assert.deepStrictEqual(Object.keys(app.locals), ['settings']);
       app.locals.user = 'tobi';
       app.locals.age = 2;
-      Object.keys(app.locals).should.eql(['settings', 'user', 'age']);
-      app.locals.user.should.equal('tobi');
-      app.locals.age.should.equal(2);
+      assert.deepStrictEqual(Object.keys(app.locals), ['settings', 'user', 'age']);
+      assert.strictEqual(app.locals.user, 'tobi');
+      assert.strictEqual(app.locals.age, 2);
+    })
+
+    it('is an object with no prototype', function(){
+      var app = express();
+      assert.strictEqual(Object.getPrototypeOf(app.locals), null);
     })
   })
 
@@ -19,8 +25,8 @@ describe('app', function(){
       var app = express();
       app.set('title', 'House of Manny');
       var obj = app.locals.settings;
-      obj.should.have.property('env', 'test');
-      obj.should.have.property('title', 'House of Manny');
+      assert.strictEqual(obj.env, 'test');
+      assert.strictEqual(obj.title, 'House of Manny');
     })
   })
 })