feat: security tweaks

lib/command.ts

@@ -2,6 +2,12 @@ import type { Jsonifiable } from 'type-fest';
 import type { JsonifiableObject } from 'type-fest/source/jsonifiable.js';
 import type { HttpMethod } from './types.js';
 
+function maybeWithNullProto<T>(val: T): T {
+  return typeof val === 'object'
+    ? Object.assign(Object.create(null), val)
+    : val;
+}
+
 type Middleware<
   CommandInput extends JsonifiableObject | unknown = unknown,
   CommandOutput extends Jsonifiable | unknown = unknown,
@@ -14,37 +20,37 @@ export abstract class Command<
   CommandBody extends Jsonifiable | unknown = unknown,
   CommandQuery extends JsonifiableObject | unknown = unknown,
 > {
-  public method: HttpMethod = 'get';
+  public readonly method: HttpMethod = 'get';
 
-  #pathname: string;
+  readonly #pathname: string;
 
-  #body: CommandBody | undefined;
+  readonly #body: CommandBody | undefined;
 
-  #query: CommandQuery | undefined;
+  readonly #query: CommandQuery | undefined;
 
   protected middleware: Middleware<CommandInput, CommandOutput>[] = [];
 
   constructor(pathname: string, body?: CommandBody, query?: CommandQuery) {
     this.#pathname = pathname;
-    this.#body = body;
-    this.#query = query;
+    this.#body = maybeWithNullProto(body);
+    this.#query = maybeWithNullProto(query);
   }
 
   public serialize() {
     return JSON.stringify(this.toJSON());
   }
 
-  public toString(): string {
+  public toString() {
     return this.serialize();
   }
 
   public toJSON() {
-    return {
+    return maybeWithNullProto({
       method: this.method,
-      pathname: this.#pathname,
-      body: this.#body,
-      query: this.#query,
-    };
+      pathname: this.pathname,
+      body: this.body,
+      query: this.query,
+    });
   }
 
   public get body() {