[ML] Improving empty object creation in ML packages (elastic#191901)

Replacing instances of empty object creation with Object.create(null) to
remove any risk of prototype pollution.
Related to elastic#191518

x-pack/packages/ml/aiops_log_rate_analysis/queries/get_field_value_pair_counts.ts

@@ -16,7 +16,7 @@ export function getFieldValuePairCounts(cpgs: SignificantItemGroup[]): FieldValu
   return cpgs.reduce<FieldValuePairCounts>((p, { group }) => {
     group.forEach(({ fieldName, fieldValue }) => {
       if (p[fieldName] === undefined) {
-        p[fieldName] = {};
+        p[fieldName] = Object.create(null);
       }
       p[fieldName][fieldValue] = p[fieldName][fieldValue] ? p[fieldName][fieldValue] + 1 : 1;
     });

x-pack/packages/ml/is_populated_object/src/is_populated_object.test.ts

@@ -45,4 +45,8 @@ describe('isPopulatedObject', () => {
       ])
     ).toBe(false);
   });
+  it('does not allow an object with a required attribute in the prototype ', () => {
+    const testObject = { attribute: 'value', __proto__: { otherAttribute: 'value' } };
+    expect(isPopulatedObject(testObject, ['otherAttribute'])).toBe(false);
+  });
 });

x-pack/packages/ml/is_populated_object/src/is_populated_object.ts

@@ -30,7 +30,6 @@ export const isPopulatedObject = <U extends string = string, T extends unknown =
     typeof arg === 'object' &&
     arg !== null &&
     Object.keys(arg).length > 0 &&
-    (requiredAttributes.length === 0 ||
-      requiredAttributes.every((d) => ({}.hasOwnProperty.call(arg, d))))
+    (requiredAttributes.length === 0 || requiredAttributes.every((d) => Object.hasOwn(arg, d)))
   );
 };

x-pack/packages/ml/json_schemas/src/json_schema_service.ts

@@ -68,7 +68,7 @@ export class JsonSchemaService {
     };
   }
 
-  private allComponents: Record<string, object> = {};
+  private allComponents: Record<string, object> = Object.create(null);
   private componentsDict = new Set<string>();
 
   /**

x-pack/packages/ml/nested_property/src/set_nested_property.ts

@@ -12,7 +12,7 @@ export const setNestedProperty = (obj: Record<string, any>, accessor: string, va
   for (let i = 0; i < len - 1; i++) {
     const attribute = accessors[i];
     if (typeof ref[attribute] !== 'object') {
-      ref[attribute] = {};
+      ref[attribute] = Object.create(null);
     }
 
     ref = ref[attribute];

x-pack/packages/ml/random_sampler_utils/src/random_sampler_manager.ts

@@ -158,7 +158,7 @@ export class RandomSampler {
     const mode = this.getMode();
     const probability = this.getProbability();
 
-    let prob = {};
+    let prob = Object.create(null);
     if (mode === RANDOM_SAMPLER_OPTION.ON_MANUAL) {
       prob = { probability };
     } else if (mode === RANDOM_SAMPLER_OPTION.OFF) {

x-pack/packages/ml/runtime_field_utils/src/get_combined_runtime_mappings.ts

@@ -18,7 +18,7 @@ export function getCombinedRuntimeMappings(
   dataView: DataView | undefined,
   runtimeMappings?: RuntimeMappings
 ): RuntimeMappings | undefined {
-  let combinedRuntimeMappings = {};
+  let combinedRuntimeMappings = Object.create(null);
 
   // Add runtime field mappings defined by index pattern
   if (dataView) {

x-pack/packages/ml/url_state/src/url_state.tsx

@@ -67,7 +67,7 @@ export function isRisonSerializationRequired(queryParam: string): boolean {
 }
 
 export function parseUrlState(search: string): Dictionary<any> {
-  const urlState: Dictionary<any> = {};
+  const urlState: Dictionary<any> = Object.create(null);
   const parsedQueryString = parse(search, { sort: false });
 
   try {
@@ -125,7 +125,7 @@ export const UrlStateProvider: FC<PropsWithChildren<unknown>> = ({ children }) =
       const parsedQueryString = parse(prevSearchString, { sort: false });
 
       if (!Object.hasOwn(urlState, accessor)) {
-        urlState[accessor] = {};
+        urlState[accessor] = Object.create(null);
       }
 
       if (typeof attribute === 'string') {