From f9537b817459e2d3107b1494375f73ba0adc1fe0 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Wed, 29 Apr 2026 06:25:50 +0000 Subject: [PATCH] fix(security): prevent NaN and negative pagination values in API routes Updated multiple API endpoints (payment links and transactions) to properly parse and validate limit and offset values from query parameters using isNaN() checks and enforcing safe defaults and bounds to prevent NaN values from reaching the database. Co-authored-by: Shreyassp002 <96625037+Shreyassp002@users.noreply.github.com> --- src/app/api/transactions/history/route.ts | 3 ++- src/app/api/transactions/route.ts | 3 ++- src/app/api/v1/payment-links/route.ts | 6 ++++-- src/app/api/v1/transactions/route.ts | 6 ++++-- 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/src/app/api/transactions/history/route.ts b/src/app/api/transactions/history/route.ts index 62875f3..3c9ca52 100644 --- a/src/app/api/transactions/history/route.ts +++ b/src/app/api/transactions/history/route.ts @@ -20,7 +20,8 @@ export async function GET(req: NextRequest) { const supabase = createServerClient() const { searchParams } = new URL(req.url) - const limit = Math.min(parseInt(searchParams.get('limit') || '50'), 100) + const rawLimit = parseInt(searchParams.get('limit') || '50') + const limit = isNaN(rawLimit) || rawLimit < 1 ? 50 : Math.min(rawLimit, 100) // 1. Fetch Sent Transactions (where customer_wallet = walletAddress) const { data: sentTransactions, error: sentError } = await supabase diff --git a/src/app/api/transactions/route.ts b/src/app/api/transactions/route.ts index b619eb7..5a054e1 100644 --- a/src/app/api/transactions/route.ts +++ b/src/app/api/transactions/route.ts @@ -19,7 +19,8 @@ export async function GET(req: NextRequest) { const supabase = createServerClient() const { searchParams } = new URL(req.url) const paymentLinkId = searchParams.get('payment_link_id') - const limit = Math.min(parseInt(searchParams.get('limit') || '50'), 100) + const rawLimit = parseInt(searchParams.get('limit') || '50') + const limit = isNaN(rawLimit) || rawLimit < 1 ? 50 : Math.min(rawLimit, 100) // eslint-disable-next-line @typescript-eslint/no-explicit-any let query = (supabase.from('transactions') as any) diff --git a/src/app/api/v1/payment-links/route.ts b/src/app/api/v1/payment-links/route.ts index 03280f8..cf5b5d6 100644 --- a/src/app/api/v1/payment-links/route.ts +++ b/src/app/api/v1/payment-links/route.ts @@ -183,8 +183,10 @@ export async function GET(req: NextRequest) { } const { searchParams } = new URL(req.url) - const limit = Math.min(parseInt(searchParams.get('limit') || '10'), 100) - const offset = parseInt(searchParams.get('offset') || '0') + const rawLimit = parseInt(searchParams.get('limit') || '10') + const limit = isNaN(rawLimit) || rawLimit < 1 ? 10 : Math.min(rawLimit, 100) + const rawOffset = parseInt(searchParams.get('offset') || '0') + const offset = isNaN(rawOffset) || rawOffset < 0 ? 0 : rawOffset // eslint-disable-next-line @typescript-eslint/no-explicit-any const supabase = createServerClient() as any diff --git a/src/app/api/v1/transactions/route.ts b/src/app/api/v1/transactions/route.ts index 9beab7e..855aa59 100644 --- a/src/app/api/v1/transactions/route.ts +++ b/src/app/api/v1/transactions/route.ts @@ -10,8 +10,10 @@ export async function GET(req: NextRequest) { } const { searchParams } = new URL(req.url) - const limit = Math.min(parseInt(searchParams.get('limit') || '10'), 100) - const offset = parseInt(searchParams.get('offset') || '0') + const rawLimit = parseInt(searchParams.get('limit') || '10') + const limit = isNaN(rawLimit) || rawLimit < 1 ? 10 : Math.min(rawLimit, 100) + const rawOffset = parseInt(searchParams.get('offset') || '0') + const offset = isNaN(rawOffset) || rawOffset < 0 ? 0 : rawOffset const status = searchParams.get('status') const paymentLinkId = searchParams.get('payment_link_id')