[MM-50712] Fix local prototype pollution flaw (#2567)

* [MM-50712] Fix local prototype pollution flaw

* Update src/main/diagnostics/steps/internal/loggerHooks.test.js

Co-authored-by: Daniel Espino García <larkox@gmail.com>

---------

Co-authored-by: Daniel Espino García <larkox@gmail.com>

src/main/diagnostics/steps/internal/loggerHooks.test.js

@@ -4,6 +4,7 @@
 import {MASK_EMAIL, MASK_PATH} from 'common/constants';
 
 import {maskMessageDataHook} from './loggerHooks';
+import {obfuscateByType} from './obfuscators';
 
 const loggerMock = {
     transports: {
@@ -59,6 +60,13 @@ describe('main/diagnostics/loggerHooks', () => {
         expect(URLs.some((url) => result.includes(url))).toBe(false);
     });
 
+    it('should not allow local prototype pollution', () => {
+        const obj = JSON.parse('{"__proto__":["1","2","3","4"]}');
+        expect(obj instanceof Array).toBe(false);
+        const obf = obfuscateByType(obj);
+        expect(obf instanceof Array).toBe(false);
+    });
+
     describe('should mask paths for all OSs', () => {
         it('darwin', () => {
             const originalPlatform = process.platform;

src/main/diagnostics/steps/internal/obfuscators.ts

@@ -60,7 +60,10 @@ function maskDataInArray(arr: unknown[]): unknown[] {
 
 function maskDataInObject(obj: Record<string, unknown>): Record<string, unknown> {
     return Object.keys(obj).reduce<Record<string, unknown>>((acc, key) => {
-        acc[key] = obfuscateByType(obj[key]);
+        // Avoid local prototype pollution
+        if (key !== '__proto__') {
+            acc[key] = obfuscateByType(obj[key]);
+        }
         return acc;
     }, {});
 }