From 9525ed4d8dd32d307981cc76c0d88e4d084aa35c Mon Sep 17 00:00:00 2001
From: Johnathan Falk <johnathan.falk@gmail.com>
Date: Thu, 30 Oct 2025 12:05:12 -0400
Subject: [PATCH] Potential fix for code scanning alert no. 2: Server-side
 request forgery

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 pages/api/diagnoses/[diagnosisId]/[viewId].js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pages/api/diagnoses/[diagnosisId]/[viewId].js b/pages/api/diagnoses/[diagnosisId]/[viewId].js
index a17d785..fe57640 100644
--- a/pages/api/diagnoses/[diagnosisId]/[viewId].js
+++ b/pages/api/diagnoses/[diagnosisId]/[viewId].js
@@ -56,8 +56,12 @@ export default async function handler(req, res) {
     const {diagnosisId, viewId} = req.query;
     const {textFormat = "md"} = req.query;
 
+    // Validate diagnosisId and viewId to be safe path segments
+    const safeIdRegex = /^[a-zA-Z0-9_-]+$/;
     if (!diagnosisId || !viewId)
         return res.status(400).json({error: "Diagnosis ID and viewId are required"});
+    if (!safeIdRegex.test(diagnosisId) || !safeIdRegex.test(viewId))
+        return res.status(400).json({error: "Invalid diagnosisId or viewId"});
 
     const cacheKey = `diagnosis:${diagnosisId}:${viewId}:${textFormat}`;
     const apiUrl = `${config.API_BASE_URL}/libraries/${config.AUDIENCE}/diagnoses/${diagnosisId}`;