From 971f09abe486185247e1faf4e8d1419ba2506b8d Mon Sep 17 00:00:00 2001
From: Luca Casonato <hello@lcas.dev>
Date: Thu, 23 May 2024 00:03:35 +0200
Subject: fix(runtime): use more null proto objects (#23921)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is a primordialization effort to improve resistance against users
tampering with the global `Object` prototype.

---------

Co-authored-by: Bartek Iwańczuk <biwanczuk@gmail.com>
---
 ext/http/00_serve.ts     | 2 +-
 ext/http/02_websocket.ts | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'ext/http')

diff --git a/ext/http/00_serve.ts b/ext/http/00_serve.ts
index de94779dc..1f83ce73d 100644
--- a/ext/http/00_serve.ts
+++ b/ext/http/00_serve.ts
@@ -591,7 +591,7 @@ function serve(arg1, arg2) {
     throw new TypeError("A handler function must be provided.");
   }
   if (options === undefined) {
-    options = {};
+    options = { __proto__: null };
   }
 
   const wantsHttps = hasTlsKeyPairOptions(options);
diff --git a/ext/http/02_websocket.ts b/ext/http/02_websocket.ts
index 073929961..21f403bff 100644
--- a/ext/http/02_websocket.ts
+++ b/ext/http/02_websocket.ts
@@ -37,7 +37,7 @@ const _ws = Symbol("[[associated_ws]]");
 const websocketCvf = buildCaseInsensitiveCommaValueFinder("websocket");
 const upgradeCvf = buildCaseInsensitiveCommaValueFinder("upgrade");
 
-function upgradeWebSocket(request, options = {}) {
+function upgradeWebSocket(request, options = { __proto__: null }) {
   const inner = toInnerRequest(request);
   const upgrade = request.headers.get("upgrade");
   const upgradeHasWebSocketOption = upgrade !== null &&
-- 
cgit v1.2.3