Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview

Summary The REST datasource query preview endpoint POST /api/queries/preview makes server-side HTTP requests to any URL supplied by the user in fields.path with no validation. An authenticated admin can reach internal services that are not exposed to the internet — including cloud metadata...