Fixed parse.js to prevent Prototype Pollution

[MorielHarush]

Description:
This PR addresses a Prototype Pollution vulnerability in the parser. The current implementation allows an attacker to bypass security boundaries by using the proto key within a .proto file (specifically in field options).

The Vulnerability:
When parsing field options like [(foo).bar = "value"], the parser uses reduce to traverse the path. If an attacker provides (proto) as a path component, the parser accesses the global Object.prototype. This allows the attacker to inject properties into every object in the Node.js process.

Proof of Concept (PoC):

const schema = require('protocol-buffers-schema');

console.log('=== BEFORE PARSE ===');
console.log('({}).polluted =', ({}).polluted); // undefined

const malicious = `
syntax = "proto3";
message Exploit {
  string a = 1 [(__proto__).polluted = "HACKED"];
}
`;

schema.parse(malicious);

console.log('\n=== AFTER PARSE ===');
console.log('({}).polluted =', ({}).polluted); // "HACKED"

Proposed Changes:

Null Prototypes: Switched from plain object literals {} to Object.create(null) for all data-holding structures (options, schema, messages, etc.).

Inheritance Protection: By using null-prototype objects, the proto key is treated as a regular property and does not trigger inheritance traversal.

Impact:
Prevents attackers from causing Denial of Service (DoS) or potentially Remote Code Execution (RCE) by polluting the global environment of applications that parse untrusted .proto files or Authentication Bypass.