From c53d96ef6a2982850ccb04c192579d2e2833ac56 Mon Sep 17 00:00:00 2001
From: James Pepper <james@bitsleuth.ai>
Date: Wed, 27 May 2026 18:56:57 +0100
Subject: [PATCH] Potential fix for code scanning alert no. 12: Server-side
 request forgery

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/lib/blockchain-api.ts | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/lib/blockchain-api.ts b/src/lib/blockchain-api.ts
index c9c15c5..f2fbd3a 100644
--- a/src/lib/blockchain-api.ts
+++ b/src/lib/blockchain-api.ts
@@ -51,19 +51,21 @@ export async function fetchJson(
     revalidate?: number,
 ): Promise<any> {
     const origin = TRUSTED_ORIGINS[host];
-
-    const hostPathPolicies = ALLOWED_PATHS[host];
-    if (!hostPathPolicies || !hostPathPolicies.some((rx) => rx.test(pathname))) {
-        throw new Error('Disallowed provider URL path.');
-    }
-
     const url = new URL(pathname, origin);
+
     if (query) {
         for (const [key, value] of Object.entries(query)) {
             url.searchParams.set(key, value);
         }
     }
 
+    const hostPathPolicies = ALLOWED_PATHS[host];
+    const canonicalPathname = url.pathname;
+    const hasDotSegments = canonicalPathname.split('/').some((segment) => segment === '.' || segment === '..');
+    if (hasDotSegments || !hostPathPolicies || !hostPathPolicies.some((rx) => rx.test(canonicalPathname))) {
+        throw new Error('Disallowed provider URL path.');
+    }
+
     if (url.origin !== origin || url.protocol !== 'https:') {
         throw new Error('URL construction resulted in an unexpected origin.');
     }