From 19e21ccc171b2898a93ca8f114bda50a920e9474 Mon Sep 17 00:00:00 2001
From: idokk <idokk1@gmail.com>
Date: Sun, 22 Nov 2020 17:49:38 +0200
Subject: [PATCH] adding /reports endpoint and user endpoints

adding /report/ endpoint to showcase file inclusion from prototype pollution
adding /user endpoint to showcase that the user object seems "clean"
adding /user_proto endpoint to show the proto payload on the object
---
 index.js | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/index.js b/index.js
index 8cd1418..9127105 100644
--- a/index.js
+++ b/index.js
@@ -74,6 +74,31 @@ app.delete('/', (req, res) => {
   messages = messages.filter((m) => m.id !== req.body.messageId);
   res.send({ok: true});
 });
+app.get('/report/',(req,res) => {
+  const user = findUser(req.body.auth || {});
+
+  if (!user) {
+    res.status(403).send({ok: false, error: 'Access denied'});
+    return;
+  }
 
+  if (!user.reportId) {
+    res.status(404).send({ok: false, error: 'Not found'});
+    return;
+  }
+
+ res.status(200).send("report: " +  fs.readFileSync("/home/app/prototype-pollution-explained/reports/"+user.reportId, 'utf8'));
+
+});
+
+app.get('/user', (req, res) => {
+     const user = findUser(req.body.auth || {});
+  res.send(user);
+});
+
+app.get('/user_proto', (req, res) => {
+     const user = findUser(req.body.auth || {});
+  res.send(user.__proto__);
+});
 app.listen(3000);
 console.log('Listening on port 3000...');