Settings includes values on Object.prototype

[EvanHahn]

App settings pull from Object.prototype if they're missing on the settings object.

const app = require('express')();

app.get('hasOwnProperty');
// => [Function: hasOwnProperty]

app.enabled('hasOwnProperty');
// => true

Is this intentional? If not, I'm happy to help fix.

[dougwilson]

Hi, yea, definitely a useless feature 😀 . I'd be happy to accept a fix; app.settings.hasOwnProperty() should still be there for back compact, but using the .get and helpers probably shouldn't return them since it is quite a useless value. Ultimately it is not surprising this happens, as it is no different from just writing app.settings.hasOwnProperty.

We could also make settings a null prototype object in the 5.0 branch.

[EvanHahn]

I'll make two changes:

1. In 4.x, make app.disabled, app.enabled, app.get, and app.set(oneArgument) ignore inherited properties on app.settings.
2. In 5.x, change settings from {} to Object.create(null).

Does that sound reasonable? If so, I can submit a patch.

[dougwilson]

It sounds good, though I don't think you can just ignore any inherited value -- that is how the settings are inherited from parent apps to sub apps.

[dougwilson]

Likely good enough to just filter out if it in Object.prototype.

[EvanHahn]

Opened #4803. If that looks good, I'll make a similar PR for 5.0.

[EvanHahn]

Now that #4803 is merged, I'll plan to make a similar PR for the 5.x branch.

I hope to get to that in the next few days.

[EvanHahn]

Opened #4835.