From 837f6cafcab500c43143bbf09d2317c25face6fc Mon Sep 17 00:00:00 2001
From: James Pepper <james@bitsleuth.ai>
Date: Wed, 27 May 2026 19:36:49 +0100
Subject: [PATCH] Potential fix for code scanning alert no. 12: Server-side
 request forgery

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/lib/blockchain-api.ts | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/lib/blockchain-api.ts b/src/lib/blockchain-api.ts
index 1508f9d..2588741 100644
--- a/src/lib/blockchain-api.ts
+++ b/src/lib/blockchain-api.ts
@@ -72,7 +72,20 @@ function sanitizeProviderPathname(pathname: string): string {
         throw new Error('Disallowed provider URL path.');
     }
 
-    return trimmed;
+    const parts = trimmed.split('/');
+    const safeSegments: string[] = [];
+    for (let i = 1; i < parts.length; i++) {
+        const segment = parts[i];
+        if (!segment || segment === '.' || segment === '..') {
+            throw new Error('Disallowed provider URL path.');
+        }
+        if (!/^[a-zA-Z0-9\-._~]+$/.test(segment)) {
+            throw new Error('Disallowed provider URL path.');
+        }
+        safeSegments.push(segment);
+    }
+
+    return '/' + safeSegments.join('/');
 }
 
 export async function fetchJson(