file:// protocol in fetch - worth disabling by default?

[chefnaphtha]

bun's fetch supports the file:// protocol. this is a huge security risk as in most people's minds fetch is only for http(s), and node:fs/Bun.file() is for filesystem.

it's easy to overlook this. most people would just pass untrusted user input to fetch thinking the worst that can happen is a network call. security-minded people might implement ssrf protection + rate limiting and think they are safe, forgetting to check the protocol.

Bun.serve({
  port: 3000,
  async fetch(req) {
    const url = new URL(req.url)
    
    if (url.pathname === '/preview') {
      const targetUrl = url.searchParams.get('url')
      
      const parsed = new URL(targetUrl)
      // yes, i realize this isn't actual ssrf protection.
      const blocklist = ['127.0.0.1', 'localhost', '169.254.169.254', '10.', '192.168.']
      
      if (blocklist.some(blocked => parsed.hostname?.includes(blocked))) {
        return new Response('Blocked', { status: 403 })
      }
      
      const response = await fetch(targetUrl)
      return new Response(await response.text())
    }
    
    return new Response('Not found', { status: 404 });
  }
});

curl "http://localhost:3000/preview?url=file:///proc/self/environ"

i think it's worth disabling the file:// protocol by default, maybe enable via an env var or cli arg