From 8aea07687835b16a2708125d2acf2276d2b4293b Mon Sep 17 00:00:00 2001
From: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
Date: Sat, 5 Jul 2025 11:24:04 +0700
Subject: [PATCH] Potential fix for code scanning alert no. 25: Server-side
 request forgery

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
---
 .../api/acceleration/acceleration.routes.ts   | 30 +++++++++++++++++--
 1 file changed, 28 insertions(+), 2 deletions(-)

diff --git a/backend/src/api/acceleration/acceleration.routes.ts b/backend/src/api/acceleration/acceleration.routes.ts
index 082d533307..b07032b5a1 100644
--- a/backend/src/api/acceleration/acceleration.routes.ts
+++ b/backend/src/api/acceleration/acceleration.routes.ts
@@ -39,7 +39,20 @@ class AccelerationRoutes {
   }
 
   private async $getAcceleratorAccelerationsHistoryAggregated(req: Request, res: Response): Promise<void> {
-    const url = `${config.MEMPOOL_SERVICES.API}/${req.originalUrl.replace('/api/v1/services/', '')}`;
+    const allowedPaths = {
+      'accelerations': 'accelerations',
+      'accelerations/history': 'accelerations/history',
+      'accelerations/stats': 'accelerations/stats',
+      'estimate': 'estimate',
+    };
+    const userPath = req.originalUrl.replace('/api/v1/services/', '');
+    const safePath = allowedPaths[userPath];
+    if (!safePath) {
+      logger.err(`Invalid path requested: ${userPath}`, this.tag);
+      res.status(400).send({ error: 'Invalid path' });
+      return;
+    }
+    const url = `${config.MEMPOOL_SERVICES.API}/${safePath}`;
     try {
       const response = await axios.get(url, { responseType: 'stream', timeout: 10000 });
       for (const key in response.headers) {
@@ -67,7 +80,20 @@ class AccelerationRoutes {
   }
 
   private async $getAcceleratorEstimate(req: Request, res: Response): Promise<void> {
-    const url = `${config.MEMPOOL_SERVICES.API}/${req.originalUrl.replace('/api/v1/services/', '')}`;
+    const allowedPaths = {
+      'accelerations': 'accelerations',
+      'accelerations/history': 'accelerations/history',
+      'accelerations/stats': 'accelerations/stats',
+      'estimate': 'estimate',
+    };
+    const userPath = req.originalUrl.replace('/api/v1/services/', '');
+    const safePath = allowedPaths[userPath];
+    if (!safePath) {
+      logger.err(`Invalid path requested: ${userPath}`, this.tag);
+      res.status(400).send({ error: 'Invalid path' });
+      return;
+    }
+    const url = `${config.MEMPOOL_SERVICES.API}/${safePath}`;
     try {
       const response = await axios.post(url, req.body, { responseType: 'stream', timeout: 10000 });
       for (const key in response.headers) {