diff --git a/lib/countly-bulk-user.js b/lib/countly-bulk-user.js index 0f45a42..45e3d37 100644 --- a/lib/countly-bulk-user.js +++ b/lib/countly-bulk-user.js @@ -602,7 +602,10 @@ function CountlyBulkUser(conf) { var change_custom_property = function(key, value, mod) { key = cc.truncateSingleValue(key, conf.maxKeyLength, "change_custom_property"); value = cc.truncateSingleValue(value, conf.maxValueSize, "change_custom_property"); - + if (key === '__proto__' || key === 'constructor' || key === 'prototype') { + cc.log(cc.logLevelEnums.ERROR, "change_custom_property, Provided key is not allowed."); + return; + } if (!customData[key]) { customData[key] = {}; } diff --git a/lib/countly.js b/lib/countly.js index 495faad..6f8d1cf 100644 --- a/lib/countly.js +++ b/lib/countly.js @@ -865,6 +865,10 @@ Countly.Bulk = Bulk; var change_custom_property = function(key, value, mod) { key = cc.truncateSingleValue(key, Countly.maxKeyLength, "change_custom_property", Countly.debug); value = cc.truncateSingleValue(value, Countly.maxValueSize, "change_custom_property", Countly.debug); + if (key === '__proto__' || key === 'constructor' || key === 'prototype') { + cc.log(cc.logLevelEnums.ERROR, "change_custom_property, Provided key is not allowed."); + return; + } if (Countly.check_consent("users")) { if (!customData[key]) {