From e0ecbb82dc6beeefd22a504d6f3dfc8949b6012c Mon Sep 17 00:00:00 2001
From: turtledreams <62231246+turtledreams@users.noreply.github.com>
Date: Fri, 20 Dec 2024 15:11:29 +0900
Subject: [PATCH] Proto pollution fix

---
 lib/countly-bulk-user.js | 5 ++++-
 lib/countly.js           | 4 ++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/countly-bulk-user.js b/lib/countly-bulk-user.js
index 0f45a42..45e3d37 100644
--- a/lib/countly-bulk-user.js
+++ b/lib/countly-bulk-user.js
@@ -602,7 +602,10 @@ function CountlyBulkUser(conf) {
     var change_custom_property = function(key, value, mod) {
         key = cc.truncateSingleValue(key, conf.maxKeyLength, "change_custom_property");
         value = cc.truncateSingleValue(value, conf.maxValueSize, "change_custom_property");
-
+        if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
+            cc.log(cc.logLevelEnums.ERROR, "change_custom_property, Provided key is not allowed.");
+            return;
+        }
         if (!customData[key]) {
             customData[key] = {};
         }
diff --git a/lib/countly.js b/lib/countly.js
index 495faad..6f8d1cf 100644
--- a/lib/countly.js
+++ b/lib/countly.js
@@ -865,6 +865,10 @@ Countly.Bulk = Bulk;
     var change_custom_property = function(key, value, mod) {
         key = cc.truncateSingleValue(key, Countly.maxKeyLength, "change_custom_property", Countly.debug);
         value = cc.truncateSingleValue(value, Countly.maxValueSize, "change_custom_property", Countly.debug);
+        if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
+            cc.log(cc.logLevelEnums.ERROR, "change_custom_property, Provided key is not allowed.");
+            return;
+        }
 
         if (Countly.check_consent("users")) {
             if (!customData[key]) {