From 11d366cdbbf70988f783b3c1f752b58a4ae82df5 Mon Sep 17 00:00:00 2001 From: msaleemzp Date: Mon, 22 Jun 2026 14:11:30 -0400 Subject: [PATCH 1/5] add index --- index.js | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 index.js diff --git a/index.js b/index.js new file mode 100644 index 0000000..fe41b42 --- /dev/null +++ b/index.js @@ -0,0 +1,20 @@ +const express = require('express'); +const axios = require('axios'); +const { URL } = require('url'); +const dns = require('dns').promises; +const app = express(); + + +function isPrivateIp(ip) { + return ip === '::1' || + /^127\./.test(ip) || + /^10\./.test(ip) || + /^192\.168\./.test(ip) || + /^172\.(1[6-9]|2[0-9]|3[0-1])\./.test(ip) || + ip.startsWith('fc') || ip.startsWith('fd') || + ip.startsWith('fe80:'); + } + +app.get('/', (req, res) => { + res.send('Hello World'); +}); \ No newline at end of file From 8bd84d036ebfc7a8c42bb2f03505d02fdc03a81a Mon Sep 17 00:00:00 2001 From: msaleemzp Date: Mon, 22 Jun 2026 14:20:11 -0400 Subject: [PATCH 2/5] add fetch --- index.js | 41 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/index.js b/index.js index fe41b42..6b4ab9d 100644 --- a/index.js +++ b/index.js @@ -17,4 +17,43 @@ function isPrivateIp(ip) { app.get('/', (req, res) => { res.send('Hello World'); -}); \ No newline at end of file +}); + + +app.get('/fetch', async (req, res) => { + const url = req.query.url; + let parsedUrl; + try { + parsedUrl = new URL(url); + } catch (e) { + return res.status(400).send('Invalid URL'); + } + const hostname = parsedUrl.hostname; + if (!['http:', 'https:'].includes(parsedUrl.protocol) || + hostname === 'localhost' || + hostname === '127.0.0.1' || + hostname === '::1' || + /^(10|127)\./.test(hostname) || + /^172\.(1[6-9]|2[0-9]|3[0-1])\./.test(hostname) || + /^192\.168\./.test(hostname)) { + return res.status(400).send('URL not allowed'); + } + try { + // DNS resolution to prevent DNS rebinding + try { + const addresses = await dns.lookup(parsedUrl.hostname, { all: true }); + for (const { address } of addresses) { + if (isPrivateIp(address)) { + return res.status(400).send('URL not allowed'); + } + } + } catch (e) { + return res.status(400).send('Invalid hostname'); + } + + const resp = await axios.get(url); + res.send(resp.data); + } catch (e) { + res.status(500).send(e.message); + } + }); \ No newline at end of file From 30a83cd21948f7403ad160dff4b450db616a0591 Mon Sep 17 00:00:00 2001 From: msaleemzp Date: Mon, 22 Jun 2026 14:23:41 -0400 Subject: [PATCH 3/5] add listen --- index.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/index.js b/index.js index 6b4ab9d..5fdfabd 100644 --- a/index.js +++ b/index.js @@ -56,4 +56,6 @@ app.get('/fetch', async (req, res) => { } catch (e) { res.status(500).send(e.message); } - }); \ No newline at end of file + }); + + app.listen(3000, () => console.log('HTTP server on port 3000')); \ No newline at end of file From 1e7a2ba0ce102c32635a77c0ac18211d3b515931 Mon Sep 17 00:00:00 2001 From: msaleemzp Date: Mon, 22 Jun 2026 14:42:56 -0400 Subject: [PATCH 4/5] add browser.js --- browser.js | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 browser.js diff --git a/browser.js b/browser.js new file mode 100644 index 0000000..87591e6 --- /dev/null +++ b/browser.js @@ -0,0 +1,4 @@ +function executeUserScript() { + var userScript = document.getElementById('userScript').value; + eval(userScript); +} \ No newline at end of file From f4f9209ea5f04ca00455bb418528b8e4ed202eb3 Mon Sep 17 00:00:00 2001 From: msaleemzp Date: Mon, 22 Jun 2026 14:51:15 -0400 Subject: [PATCH 5/5] add index --- index.php | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 index.php diff --git a/index.php b/index.php new file mode 100644 index 0000000..4b07485 --- /dev/null +++ b/index.php @@ -0,0 +1,5 @@ +" +$_GET["search"] + ""; + +?> \ No newline at end of file