Fix prototype pollution issue (#529)

Author: carolabadeer

packages/core/lib/segments/attributes/subsegment.js

@@ -172,7 +172,9 @@ Subsegment.prototype.addMetadata = function(key, value, namespace) {
     this.metadata[ns] = {};
   }
 
-  this.metadata[ns][key] = value !== null && value !== undefined ? value : '';
+  if (ns !== '__proto__') {
+    this.metadata[ns][key] = value !== null && value !== undefined ? value : '';
+  }
 };
 
 Subsegment.prototype.addSqlData = function addSqlData(sqlData) {

packages/core/lib/segments/segment.js

@@ -143,7 +143,9 @@ Segment.prototype.addMetadata = function(key, value, namespace) {
     this.metadata[ns] = {};
   }
 
-  this.metadata[ns][key] = value !== null && value !== undefined ? value : '';
+  if (ns !== '__proto__') {
+    this.metadata[ns][key] = value !== null && value !== undefined ? value : '';
+  }
 };
 
 /**

packages/core/test/unit/segments/attributes/subsegment.test.js

@@ -47,6 +47,12 @@ describe('Subsegment', function() {
       subsegment.addMetadata(key, value, 'hello');
       assert.propertyVal(subsegment.metadata[namespace], key, value);
     });
+
+    it('should not add key value pair to metadata[namespace] if a namespace is "__proto__"', function () {
+      let namespace = '__proto__';
+      subsegment.addMetadata(key, value, namespace);
+      assert.notProperty(subsegment.metadata[namespace], key);
+    });
   });
 
   describe('#addSubsegment', function() {

packages/core/test/unit/segments/segment.test.js

@@ -112,6 +112,12 @@ describe('Segment', function() {
       segment.addMetadata(key, value, 'hello');
       assert.propertyVal(segment.metadata[namespace], key, value);
     });
+
+    it('should not add key value pair to metadata[namespace] if a namespace is "__proto__"', function () {
+      let namespace = '__proto__';
+      segment.addMetadata(key, value, namespace);
+      assert.notProperty(segment.metadata[namespace], key);
+    });
   });
 
   describe('#addSDKData', function() {