SSRF via user-controlled URL in /api/fetch

Summary

The 'url' query parameter is passed directly to http.get with no scheme/host allowlist or validation, allowing attackers to make the server issue requests to arbitrary internal hosts (e.g., 169.254.169.254 cloud metadata or other internal services) and receive the response body.

Vulnerable code — server.js

🔴 if (parsed.pathname === "/api/fetch") {
🔴     const target = q.url;
🔴     if (!target) return send(res, 400, "missing url");
🔴     http
🔴       .get(target, (r) => {
🔴         let body = "";
🔴         r.on("data", (c) => (body += c));
🔴         r.on("end", () => send(res, 200, `fetched ${target}:\n${body.slice(0, 500)}`));
🔴       })
🔴       .on("error", (e) => send(res, 502, `fetch error: ${e.message}`));
🔴     return;
🔴   }