abhaybhargav/index.js

## index.js
//Lodash Prototype Pollution PoC Code
// lodash version used == 4.17.4
// Author: Abhay Bhargav
// Disclaimer: This is vulnerable code. You are solely responsible for how you use it


const _ = require("lodash");
const express = require("express");
const bodyParser = require("body-parser");

const app = express();
app.use(bodyParser.urlencoded({extended : true}));
app.use(bodyParser.json());
const users = []

app.post('/signup', (req, res) => {
    const user = {}

    _.merge(user, req.body.user, {
        userId: Math.random().toString(36).substr(2, 9),
        timstamp: Date.now(),
    })

    users.push(user);

    return res.status(200).send(user)
})

app.get('/details/:userId', (req, res) => {
    let reqUserId = req.params.userId;
    let reqUser = users.find((u)=> u.userId == reqUserId );
    if (reqUser) {
        return res.status(200).send({
            userDetails: reqUser,
            isAdmin: reqUser.isAdmin
        })
    }
    return res.status(404).send({error: "user not found"})
})

app.listen(9000);
	//Lodash Prototype Pollution PoC Code
	// lodash version used == 4.17.4
	// Author: Abhay Bhargav
	// Disclaimer: This is vulnerable code. You are solely responsible for how you use it


	const _ = require("lodash");
	const express = require("express");
	const bodyParser = require("body-parser");

	const app = express();
	app.use(bodyParser.urlencoded({extended : true}));
	app.use(bodyParser.json());
	const users = []

	app.post('/signup', (req, res) => {
	const user = {}

	_.merge(user, req.body.user, {
	userId: Math.random().toString(36).substr(2, 9),
	timstamp: Date.now(),
	})

	users.push(user);

	return res.status(200).send(user)
	})

	app.get('/details/:userId', (req, res) => {
	let reqUserId = req.params.userId;
	let reqUser = users.find((u)=> u.userId == reqUserId );
	if (reqUser) {
	return res.status(200).send({
	userDetails: reqUser,
	isAdmin: reqUser.isAdmin
	})
	}
	return res.status(404).send({error: "user not found"})
	})

	app.listen(9000);