lodash prototype vuln

Author: netcode

package-lock.json

@@ -21,6 +21,7 @@
     "dotenv": "^8.2.0",
     "express": "^4.17.1",
     "faker": "^4.1.0",
+    "lodash": "^4.17.11",
     "mongodb": "^3.5.6",
     "mysql": "^2.18.1",
     "request": "^2.88.2"

package.json

@@ -0,0 +1,32 @@
+const express = require('express');
+const router = express.Router()
+
+const lodash = require('lodash');
+ 
+//if req.body.config == '{"constructor": {"prototype": {"isAdmin": true}}}' it will bypass the authentication
+function check(req, res) {
+
+    let config = {};
+    lodash.defaultsDeep(config, JSON.parse(req.body.config));
+    
+    let user = getCurrentUser();
+    if(!user){
+      user = {};
+    }
+    
+    if (user.isAdmin && user.isAdmin === true) {
+        res.send('Welcome Admin')
+    }else{
+        res.send('Welcome User')
+    }
+}
+
+//fake function that get current user from session or db
+function getCurrentUser(){
+  return false;
+}
+
+
+router.post('/check-user',check)
+
+module.exports = router