fix(opentelemetry-core): add extra checks on internal merge function for safety (#6587)

Author: maryliag

CHANGELOG.md

@@ -12,6 +12,7 @@ For notes on migrating to 2.x / 0.200.x see [the upgrade guide](doc/upgrade-to-2
 
 * feat(sdk-metrics): adds the cardinalitySelector argument to PeriodicExportingMetricReaders
   [#6460](https://github.com/open-telemetry/opentelemetry-js/pull/6460) @starzlocker
+* feat(opentelemetry-core): add extra checks on internal merge function for safety [#6587](https://github.com/open-telemetry/opentelemetry-js/pull/6587) @maryliag
 
 ### :boom: Breaking Changes
 

packages/opentelemetry-core/src/utils/merge.ts

@@ -69,6 +69,13 @@ function mergeTwoObjects(
       const keys = Object.keys(two);
       for (let i = 0, j = keys.length; i < j; i++) {
         const key = keys[i];
+        if (
+          key === '__proto__' ||
+          key === 'constructor' ||
+          key === 'prototype'
+        ) {
+          continue;
+        }
         result[key] = takeValue(two[key]);
       }
     }
@@ -82,6 +89,13 @@ function mergeTwoObjects(
 
       for (let i = 0, j = keys.length; i < j; i++) {
         const key = keys[i];
+        if (
+          key === '__proto__' ||
+          key === 'constructor' ||
+          key === 'prototype'
+        ) {
+          continue;
+        }
         const twoValue = two[key];
 
         if (isPrimitive(twoValue)) {