fix(runtime): use more null proto objects (#23921)

This is a primordialization effort to improve resistance against users
tampering with the global `Object` prototype.

---------

Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>

7 files changed, 16 insertions, 16 deletions

diff --git a/runtime/js/10_permissions.js b/runtime/js/10_permissions.js
index 4e7d0d340..f2b3fba00 100644
--- a/runtime/js/10_permissions.js
+++ b/runtime/js/10_permissions.js
@@ -268,7 +268,7 @@ const permissions = new Permissions(illegalConstructorKey);
 /** Converts all file URLs in FS allowlists to paths. */
 function serializePermissions(permissions) {
   if (typeof permissions == "object" && permissions != null) {
-    const serializedPermissions = {};
+    const serializedPermissions = { __proto__: null };
     for (
       const key of new SafeArrayIterator(["read", "write", "run", "ffi"])
     ) {
diff --git a/runtime/js/11_workers.js b/runtime/js/11_workers.js
index 5d24df93d..385376192 100644
--- a/runtime/js/11_workers.js
+++ b/runtime/js/11_workers.js
@@ -91,7 +91,7 @@ class Worker extends EventTarget {
   // still be messages left to receive.
   #status = "RUNNING";
 
-  constructor(specifier, options = {}) {
+  constructor(specifier, options = { __proto__: null }) {
     super();
     specifier = String(specifier);
     const {
@@ -254,7 +254,7 @@ class Worker extends EventTarget {
     }
   };
 
-  postMessage(message, transferOrOptions = {}) {
+  postMessage(message, transferOrOptions = { __proto__: null }) {
     const prefix = "Failed to execute 'postMessage' on 'MessagePort'";
     webidl.requiredArguments(arguments.length, 1, prefix);
     message = webidl.converters.any(message);
diff --git a/runtime/js/40_process.js b/runtime/js/40_process.js
index e6c865928..6db04468f 100644
--- a/runtime/js/40_process.js
+++ b/runtime/js/40_process.js
@@ -134,7 +134,7 @@ function run({
   cmd,
   cwd = undefined,
   clearEnv = false,
-  env = {},
+  env = { __proto__: null },
   gid = undefined,
   uid = undefined,
   stdout = "inherit",
@@ -172,7 +172,7 @@ function spawnChildInner(opFn, command, apiName, {
   args = [],
   cwd = undefined,
   clearEnv = false,
-  env = {},
+  env = { __proto__: null },
   uid = undefined,
   gid = undefined,
   stdin = "null",
@@ -181,7 +181,7 @@ function spawnChildInner(opFn, command, apiName, {
   signal = undefined,
   windowsRawArguments = false,
   ipc = -1,
-} = {}) {
+} = { __proto__: null }) {
   const child = opFn({
     cmd: pathFromURL(command),
     args: ArrayPrototypeMap(args, String),
@@ -202,7 +202,7 @@ function spawnChildInner(opFn, command, apiName, {
   });
 }
 
-function spawnChild(command, options = {}) {
+function spawnChild(command, options = { __proto__: null }) {
   return spawnChildInner(
     op_spawn_child,
     command,
@@ -392,14 +392,14 @@ function spawnSync(command, {
   args = [],
   cwd = undefined,
   clearEnv = false,
-  env = {},
+  env = { __proto__: null },
   uid = undefined,
   gid = undefined,
   stdin = "null",
   stdout = "piped",
   stderr = "piped",
   windowsRawArguments = false,
-} = {}) {
+} = { __proto__: null }) {
   if (stdin === "piped") {
     throw new TypeError(
       "Piped stdin is not supported for this function, use 'Deno.Command().spawn()' instead",
diff --git a/runtime/js/40_signals.js b/runtime/js/40_signals.js
index 9d3cd4092..41f25af67 100644
--- a/runtime/js/40_signals.js
+++ b/runtime/js/40_signals.js
@@ -26,7 +26,7 @@ function unbindSignal(rid) {
 
 // Stores signal listeners and resource data. This has type of
 // `Record<string, { rid: number | undefined, listeners: Set<() => void> }`
-const signalData = {};
+const signalData = { __proto__: null };
 
 /** Gets the signal handlers and resource data of the given signal */
 function getSignalData(signo) {
diff --git a/runtime/js/90_deno_ns.js b/runtime/js/90_deno_ns.js
index 02ac7b602..2e13976a7 100644
--- a/runtime/js/90_deno_ns.js
+++ b/runtime/js/90_deno_ns.js
@@ -264,9 +264,9 @@ const unstableIds = {
   workerOptions: 11,
 };
 
-const denoNsUnstableById = {};
+const denoNsUnstableById = { __proto__: null };
 
-// denoNsUnstableById[unstableIds.broadcastChannel] = {}
+// denoNsUnstableById[unstableIds.broadcastChannel] = { __proto__: null }
 
 denoNsUnstableById[unstableIds.cron] = {
   cron: cron.cron,
@@ -308,13 +308,13 @@ denoNsUnstableById[unstableIds.net] = {
   ),
 };
 
-// denoNsUnstableById[unstableIds.unsafeProto] = {}
+// denoNsUnstableById[unstableIds.unsafeProto] = { __proto__: null }
 
 denoNsUnstableById[unstableIds.webgpu] = {
   UnsafeWindowSurface: webgpuSurface.UnsafeWindowSurface,
 };
 
-// denoNsUnstableById[unstableIds.workerOptions] = {}
+// denoNsUnstableById[unstableIds.workerOptions] = { __proto__: null }
 
 // when editing this list, also update unstableDenoProps in cli/tsc/99_main_compiler.js
 const denoNsUnstable = {
diff --git a/runtime/js/98_global_scope_shared.js b/runtime/js/98_global_scope_shared.js
index e7504143e..b6e480216 100644
--- a/runtime/js/98_global_scope_shared.js
+++ b/runtime/js/98_global_scope_shared.js
@@ -145,7 +145,7 @@ const windowOrWorkerGlobalScope = {
   [webidl.brand]: core.propNonEnumerable(webidl.brand),
 };
 
-const unstableForWindowOrWorkerGlobalScope = {};
+const unstableForWindowOrWorkerGlobalScope = { __proto__: null };
 unstableForWindowOrWorkerGlobalScope[unstableIds.broadcastChannel] = {
   BroadcastChannel: core.propNonEnumerable(broadcastChannel.BroadcastChannel),
 };
diff --git a/runtime/js/99_main.js b/runtime/js/99_main.js
index fcec6b91a..6e423af6b 100644
--- a/runtime/js/99_main.js
+++ b/runtime/js/99_main.js
@@ -252,7 +252,7 @@ function workerClose() {
   op_worker_close();
 }
 
-function postMessage(message, transferOrOptions = {}) {
+function postMessage(message, transferOrOptions = { __proto__: null }) {
   const prefix =
     "Failed to execute 'postMessage' on 'DedicatedWorkerGlobalScope'";
   webidl.requiredArguments(arguments.length, 1, prefix);