Merge pull request #111 from Countly/protp-pollution-fix

Proto pollution fix

Author: turtledreams

lib/countly-bulk-user.js

@@ -602,7 +602,10 @@ function CountlyBulkUser(conf) {
     var change_custom_property = function(key, value, mod) {
         key = cc.truncateSingleValue(key, conf.maxKeyLength, "change_custom_property");
         value = cc.truncateSingleValue(value, conf.maxValueSize, "change_custom_property");
-
+        if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
+            cc.log(cc.logLevelEnums.ERROR, "change_custom_property, Provided key is not allowed.");
+            return;
+        }
         if (!customData[key]) {
             customData[key] = {};
         }

lib/countly.js

@@ -865,6 +865,10 @@ Countly.Bulk = Bulk;
     var change_custom_property = function(key, value, mod) {
         key = cc.truncateSingleValue(key, Countly.maxKeyLength, "change_custom_property", Countly.debug);
         value = cc.truncateSingleValue(value, Countly.maxValueSize, "change_custom_property", Countly.debug);
+        if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
+            cc.log(cc.logLevelEnums.ERROR, "change_custom_property, Provided key is not allowed.");
+            return;
+        }
 
         if (Countly.check_consent("users")) {
             if (!customData[key]) {