From 060cb31b5ca2f07bf775904313940d0c508fb947 Mon Sep 17 00:00:00 2001
From: "Cindy(Fox)Alex" <cindiekinzz@gmail.com>
Date: Thu, 21 May 2026 13:57:43 +0100
Subject: [PATCH] Potential fix for code scanning alert no. 44: Server-side
 request forgery

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 NESTdesktop/local-agent.js | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/NESTdesktop/local-agent.js b/NESTdesktop/local-agent.js
index 19f2b52..ca3d6e6 100644
--- a/NESTdesktop/local-agent.js
+++ b/NESTdesktop/local-agent.js
@@ -440,8 +440,11 @@ dashboard.all('/api/{*path}', async (req, res) => {
 dashboard.all('/v1/{*path}', async (req, res) => {
   const openclawUrl = 'http://127.0.0.1:18789';
   try {
-    const target = `${openclawUrl}${req.originalUrl}`;
-    const resp = await fetch(target, {
+    const rawPath = String(req.params.path || '').replace(/^\/+/, '');
+    const targetUrl = new URL(openclawUrl);
+    targetUrl.pathname = `/${rawPath}`;
+    targetUrl.search = req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '';
+    const resp = await fetch(targetUrl.toString(), {
       method: req.method,
       headers: { 'Content-Type': 'application/json' },
       body: ['GET', 'HEAD'].includes(req.method) ? undefined : JSON.stringify(req.body),