CodeQL documentation
CodeQL resources

Inconsistent use of β€˜new’¢

ID: js/inconsistent-use-of-new
Kind: problem
Security severity: 
Severity: warning
Precision: very-high
Tags:
   - quality
   - reliability
   - correctness
   - language-features
Query suites:
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

JavaScript does not enforce a distinction between constructor functions and normal functions, so the same function can be invoked both as a constructor with new and as a normal function without new. This is unusual, however, and can often indicate a bug.

RecommendationΒΆ

Examine the function in question and all calls to it. If it is not actually meant to be invoked as a constructor, turn all constructor calls to it into normal function calls. If it is meant to be invoked as a constructor, either turn all normal function calls to it into constructor calls, or introduce a guard for intercepting calls without new as described below.

ExampleΒΆ

In the following example, Point is clearly meant to be a constructor function, but on line 7 it is invoked without new. This means that this in the function body will refer to the global object, so the assignments to x and y will create global variables.

function Point(x, y) {
  this.x = x;
  this.y = y;
}

var p = new Point(23, 42),
    q = Point(56, 72);

The easiest way to fix this is to rewrite the call on line 7 to use new:

function Point(x, y) {
  this.x = x;
  this.y = y;
}

var p = new Point(23, 42),
    q = new Point(56, 72);

Alternatively, if you absolutely have to make it possible to call Point both with and without new, you could insert a guard that intercepts calls without new as follows:

function Point(x, y) {
  if (!(this instanceof Point))
    return new Point(x, y);
  this.x = x;
  this.y = y;
}

var p = new Point(23, 42),
    q = Point(56, 72);

Now, if Point is invoked without new, its this object (which is the global object) is not an instance of Point, so the β€œthen” branch of the if statement is executed, which re-invokes Point on the same arguments, but this time with new.

ReferencesΒΆ

  • D. Crockford, JavaScript: The Good Parts, Appendix B.11. O’Reilly, 2008.

  • Β© GitHub, Inc.
  • Terms
  • Privacy