# [CRUCIBLE-SEED]
# category: ssrf
# severity: high
# language: python
# expected: SSRF via requests.get with unvalidated user-supplied URL

import requests
from flask import Flask, request, jsonify

app = Flask(__name__)


@app.route("/proxy")
def proxy():
    target_url = request.args.get("url", "")
    # No validation — attacker requests: http://169.254.169.254/latest/meta-data/
    response = requests.get(target_url, timeout=10)
    return jsonify({
        "status": response.status_code,
        "content": response.text[:2000],
    })


@app.route("/webhook/test", methods=["POST"])
def test_webhook():
    data = request.get_json()
    webhook_url = data.get("url", "")
    payload = data.get("payload", {})
    # webhook_url from user — attacker targets internal services
    resp = requests.post(webhook_url, json=payload, timeout=8)
    return jsonify({"status": resp.status_code, "response": resp.text[:500]})


@app.route("/avatar/fetch")
def fetch_avatar():
    avatar_url = request.args.get("url", "")
    resp = requests.get(avatar_url, timeout=5, allow_redirects=True)
    return resp.content, 200, {"Content-Type": resp.headers.get("content-type", "image/png")}
