Server-Side Request Forgery (SSRF)

  using Microsoft.AspNetCore.Mvc;
using MvcApp.Models;
using System.Diagnostics;
using System.Data.SqlClient;
using System.Net;

namespace MvcApp.Controllers
{
    public class DataController : Controller
    {

        public IActionResult Index()
        {
            return View();
        }

        [HttpPost]
        public IActionResult FetchData ([FromBody] WeatherData wdata)
        {
            Debug.WriteLine("FetchData function!");
            string latitude = wdata.latitude;
            string longitude = wdata.longitude;
            string weatherurl = wdata.weatherurl;

            string modweatherurl = wdata.weatherurl + "?latitude=" + latitude + "&longitude=" + longitude + "&current=temperature_2m";

            HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(modweatherurl);
            request.Method = "GET";
            String test = String.Empty;
            using (HttpWebResponse response = (HttpWebResponse)request.GetResponse())
            {
                Stream dataStream = response.GetResponseStream();
                StreamReader reader = new StreamReader(dataStream);
                test = reader.ReadToEnd();
                reader.Close();
                dataStream.Close();
            }
            return Content(test);
            
        }

        [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
        public IActionResult Error()
        {
            return View(new ErrorViewModel { RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier });
        }
    }

    public class WeatherData
    {
        public string latitude { get; set; }
        public string longitude { get; set; }
        public string weatherurl { get; set; }
    }

}