SSRF via /api/fetch url parameter

Summary

The `url` query parameter is passed directly to http.get() with no scheme/host allowlist or blocklist, allowing attackers to make server-side requests to internal services, loopback, or cloud metadata endpoints (e.g., 169.254.169.254) and receive the first 500 bytes of the response.

Vulnerable code — server.js

🔴   if (parsed.pathname === "/api/fetch") {
🔴     const target = q.url;
🔴     if (!target) return send(res, 400, "missing url");
🔴     http
🔴       .get(target, (r) => {
🔴         let body = "";
🔴         r.on("data", (c) => (body += c));
🔴         r.on("end", () => send(res, 200, `fetched ${target}:\n${body.slice(0, 500)}`));
🔴       })
🔴       .on("error", (e) => send(res, 502, `fetch error: ${e.message}`));
🔴     return;
🔴   }