Security: SSRF via User-Controlled Storage Config in POST /spaces/{space_id}/test-connection

A critical Server-Side Request Forgery (SSRF) vulnerability exists in the `test_connection_endpoint` of the application's backend. The endpoint accepts a `SpaceConnectionRequest` payload and passes the user-controlled `storage_config` dictionary directly to the `ugoite_core.test_storage_connection()` function. This configuration can contain arbitrary backend-specific parameters, including custom endpoint URLs for S3, GCS, or Azure ADLS services, which the underlying OpenDAL library uses to make outbound HTTP connections.

This flaw creates a classic SSRF attack surface. An authenticated user can craft a malicious `storage_config` payload—for example, specifying an endpoint like `http://169.254.169.254/latest/meta-data/`—to force the server to make requests to internal cloud metadata services, probe internal network hosts, or potentially exfiltrate sensitive AWS or GCP credentials. The vulnerability is located in `backend/src/app/api/endpoints/space.py` between lines 340 and 366.

The exposure is particularly significant as SSRF via user-supplied cloud storage endpoints has emerged as a leading vulnerability class in 2025 for self-hosted AI and knowledge management platforms. This flaw grants attackers a vector to pivot into internal infrastructure, bypassing network security perimeters and accessing sensitive metadata that should be isolated from external users.