From 00aa822d5a32af1ba66c7a3d9af10eb6c5d26433 Mon Sep 17 00:00:00 2001
From: Ahmed Haitham <didodada94@gmail.com>
Date: Sun, 1 Jun 2025 05:54:47 +0300
Subject: [PATCH] Potential fix for code scanning alert no. 1: Server-side
 request forgery

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .../el7a2ny-frontend/src/components/CheckoutForm.js    | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/Frontend/el7a2ny-frontend/src/components/CheckoutForm.js b/Frontend/el7a2ny-frontend/src/components/CheckoutForm.js
index 09ee4e15..ef8a21ec 100644
--- a/Frontend/el7a2ny-frontend/src/components/CheckoutForm.js
+++ b/Frontend/el7a2ny-frontend/src/components/CheckoutForm.js
@@ -12,7 +12,9 @@ export default function CheckoutForm({ appointmentId, patientUsername, packageNa
   const [message, setMessage] = useState(null);
   const [isLoading, setIsLoading] = useState(false);
 
-  const route = appointmentId ? `appointments/${appointmentId}` : `health-packages/${packageName}`;
+  const validAppointmentId = /^[a-zA-Z0-9_-]+$/.test(appointmentId) ? appointmentId : null;
+  const validPackageName = /^[a-zA-Z0-9_-]+$/.test(packageName) ? packageName : null;
+  const route = validAppointmentId ? `appointments/${validAppointmentId}` : validPackageName ? `health-packages/${validPackageName}` : null;
 
   useEffect(() => {
     if (!stripe) return;
@@ -46,6 +48,9 @@ export default function CheckoutForm({ appointmentId, patientUsername, packageNa
     setIsLoading(true);
 
     try {
+      if (!/^[a-zA-Z0-9_-]+$/.test(patientUsername) || !route) {
+        throw new Error("Invalid input detected.");
+      }
       await axios.post(`${BACKEND_ROUTE}/patients/${patientUsername}/payment/${route}`, {
         paymentMethod: "Wallet",
       });
@@ -78,6 +83,9 @@ export default function CheckoutForm({ appointmentId, patientUsername, packageNa
     }
     if (paymentIntent && paymentIntent.status === "succeeded") {
       try {
+        if (!/^[a-zA-Z0-9_-]+$/.test(patientUsername) || !route) {
+          throw new Error("Invalid input detected.");
+        }
         await axios.post(`${BACKEND_ROUTE}/patients/${patientUsername}/payment/${route}`, {
           paymentMethod: "Card",
         });