fix(runtime): use more null proto objects (#23921)

This is a primordialization effort to improve resistance against users tampering with the global `Object` prototype. --------- Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
author: Luca Casonato <hello@lcas.dev> 2024-05-23 00:03:35 +0200
committer: GitHub <noreply@github.com> 2024-05-23 00:03:35 +0200
commit: 971f09abe486185247e1faf4e8d1419ba2506b8d (patch)
tree: 3ed0cf608116ad06e88a87552333e930824cc790 /ext/http
parent: 6c167c64d61ecfc912dc1b68d300f02aa3677235 (diff)
2 files changed, 2 insertions, 2 deletions
diff --git a/ext/http/00_serve.ts b/ext/http/00_serve.ts
index de94779dc..1f83ce73d 100644
--- a/ext/http/00_serve.ts
+++ b/ext/http/00_serve.ts
@@ -591,7 +591,7 @@ function serve(arg1, arg2) {
     throw new TypeError("A handler function must be provided.");
   }
   if (options === undefined) {
-    options = {};
+    options = { __proto__: null };
   }
 
   const wantsHttps = hasTlsKeyPairOptions(options);
diff --git a/ext/http/02_websocket.ts b/ext/http/02_websocket.ts
index 073929961..21f403bff 100644
--- a/ext/http/02_websocket.ts
+++ b/ext/http/02_websocket.ts
@@ -37,7 +37,7 @@ const _ws = Symbol("[[associated_ws]]");
 const websocketCvf = buildCaseInsensitiveCommaValueFinder("websocket");
 const upgradeCvf = buildCaseInsensitiveCommaValueFinder("upgrade");
 
-function upgradeWebSocket(request, options = {}) {
+function upgradeWebSocket(request, options = { __proto__: null }) {
   const inner = toInnerRequest(request);
   const upgrade = request.headers.get("upgrade");
   const upgradeHasWebSocketOption = upgrade !== null &&
author	Luca Casonato <hello@lcas.dev>	2024-05-23 00:03:35 +0200
committer	GitHub <noreply@github.com>	2024-05-23 00:03:35 +0200
commit	971f09abe486185247e1faf4e8d1419ba2506b8d (patch)
tree	3ed0cf608116ad06e88a87552333e930824cc790 /ext/http
parent	6c167c64d61ecfc912dc1b68d300f02aa3677235 (diff)