chore(docs): improve security documentation (#319)

stainless-app[bot] · web-flow · commit 58abd552f87a · 2025-03-25T01:11:26.000Z
diff --git a/README.md b/README.md
@@ -93,8 +93,8 @@ To send `null` instead of a struct, use `param.NullObj[T]()`, where `T` is a str
 To send a custom value instead of a struct, use `param.OverrideObj[T](value)`.
 
 To override request structs contain a `.WithExtraFields(map[string]any)` method which can be used to
-send non-conforming fields in the request body. Extra fields take higher precedence than normal
-fields.
+send non-conforming fields in the request body. Extra fields overwrite any struct fields with a matching
+key, so only use with trusted data.
 
 ```go
 params := FooParams{
diff --git a/option/requestoption.go b/option/requestoption.go
@@ -24,6 +24,8 @@ import (
 type RequestOption = requestconfig.RequestOption
 
 // WithBaseURL returns a RequestOption that sets the BaseURL for the client.
+//
+// For security reasons, ensure that the base URL is trusted.
 func WithBaseURL(base string) RequestOption {
 	u, err := url.Parse(base)
 	if err != nil {
diff --git a/packages/param/option.go b/packages/param/option.go
@@ -2,6 +2,7 @@ package param
 
 import (
 	"encoding/json"
+	"fmt"
 	"reflect"
 	"time"
 )
@@ -78,6 +79,16 @@ func (o Opt[T]) Or(v T) T {
 	return v
 }
 
+func (o Opt[T]) String() string {
+	if o.IsNull() {
+		return "null"
+	}
+	if s, ok := any(o.Value).(fmt.Stringer); ok {
+		return s.String()
+	}
+	return fmt.Sprintf("%v", o.Value)
+}
+
 // This is a sketchy way to implement time Formatting
 var timeType = reflect.TypeOf(time.Time{})
 var timeTimeValueLoc, _ = reflect.TypeOf(Opt[time.Time]{}).FieldByName("Value")
diff --git a/packages/param/param.go b/packages/param/param.go
@@ -94,8 +94,12 @@ func (m metadata) GetExtraFields() map[string]any {
 	return nil
 }
 
-func (m *metadata) WithExtraFields(fields map[string]any) {
-	m.any = metadataExtraFields(fields)
+// WithExtraFields adds extra fields to the JSON object.
+//
+// WithExtraFields will override any existing fields with the same key.
+// For security reasons, ensure this is only used with trusted input data.
+func (m *metadata) WithExtraFields(extraFields map[string]any) {
+	m.any = metadataExtraFields(extraFields)
 }
 
 func (m *metadata) setMetadata(override any) {

Original file line number	Diff line number	Diff line change
`@@ -94,8 +94,12 @@ func (m metadata) GetExtraFields() map[string]any {`
`94`	`94`	`return nil`
`95`	`95`	`}`
`96`	`96`
`97`		`-func (m *metadata) WithExtraFields(fields map[string]any) {`
`98`		`- m.any = metadataExtraFields(fields)`
	`97`	`+// WithExtraFields adds extra fields to the JSON object.`
	`98`	`+//`
	`99`	`+// WithExtraFields will override any existing fields with the same key.`
	`100`	`+// For security reasons, ensure this is only used with trusted input data.`
	`101`	`+func (m *metadata) WithExtraFields(extraFields map[string]any) {`
	`102`	`+ m.any = metadataExtraFields(extraFields)`
`99`	`103`	`}`
`100`	`104`
`101`	`105`	`func (m *metadata) setMetadata(override any) {`