From 7790820d911bbe8a1032fb6ab2f2819ae177644b Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Sun, 3 May 2026 06:13:58 +0000 Subject: [PATCH] fix(security): sanitize pagination parameters to prevent DB errors Sanitize `limit` and `offset` in paginated API endpoints using `parseInt` with base 10 and fallback values. This prevents Supabase errors when these parameters evaluate to `NaN` or negative numbers. Addressed endpoints: - `src/app/api/transactions/history/route.ts` - `src/app/api/transactions/route.ts` - `src/app/api/v1/payment-links/route.ts` - `src/app/api/v1/transactions/route.ts` Co-authored-by: Shreyassp002 <96625037+Shreyassp002@users.noreply.github.com> --- src/app/api/transactions/history/route.ts | 4 +++- src/app/api/transactions/route.ts | 4 +++- src/app/api/v1/payment-links/route.ts | 8 ++++++-- src/app/api/v1/transactions/route.ts | 9 +++++++-- 4 files changed, 19 insertions(+), 6 deletions(-) diff --git a/src/app/api/transactions/history/route.ts b/src/app/api/transactions/history/route.ts index 62875f3..01ca03a 100644 --- a/src/app/api/transactions/history/route.ts +++ b/src/app/api/transactions/history/route.ts @@ -20,7 +20,9 @@ export async function GET(req: NextRequest) { const supabase = createServerClient() const { searchParams } = new URL(req.url) - const limit = Math.min(parseInt(searchParams.get('limit') || '50'), 100) + let parsedLimit = parseInt(searchParams.get('limit') || '50', 10) + if (isNaN(parsedLimit) || parsedLimit < 1) parsedLimit = 50 + const limit = Math.min(parsedLimit, 100) // 1. Fetch Sent Transactions (where customer_wallet = walletAddress) const { data: sentTransactions, error: sentError } = await supabase diff --git a/src/app/api/transactions/route.ts b/src/app/api/transactions/route.ts index b619eb7..d1cbcc9 100644 --- a/src/app/api/transactions/route.ts +++ b/src/app/api/transactions/route.ts @@ -19,7 +19,9 @@ export async function GET(req: NextRequest) { const supabase = createServerClient() const { searchParams } = new URL(req.url) const paymentLinkId = searchParams.get('payment_link_id') - const limit = Math.min(parseInt(searchParams.get('limit') || '50'), 100) + let parsedLimit = parseInt(searchParams.get('limit') || '50', 10) + if (isNaN(parsedLimit) || parsedLimit < 1) parsedLimit = 50 + const limit = Math.min(parsedLimit, 100) // eslint-disable-next-line @typescript-eslint/no-explicit-any let query = (supabase.from('transactions') as any) diff --git a/src/app/api/v1/payment-links/route.ts b/src/app/api/v1/payment-links/route.ts index 03280f8..81027a9 100644 --- a/src/app/api/v1/payment-links/route.ts +++ b/src/app/api/v1/payment-links/route.ts @@ -183,8 +183,12 @@ export async function GET(req: NextRequest) { } const { searchParams } = new URL(req.url) - const limit = Math.min(parseInt(searchParams.get('limit') || '10'), 100) - const offset = parseInt(searchParams.get('offset') || '0') + let parsedLimit = parseInt(searchParams.get('limit') || '10', 10) + if (isNaN(parsedLimit) || parsedLimit < 1) parsedLimit = 10 + const limit = Math.min(parsedLimit, 100) + + let offset = parseInt(searchParams.get('offset') || '0', 10) + if (isNaN(offset) || offset < 0) offset = 0 // eslint-disable-next-line @typescript-eslint/no-explicit-any const supabase = createServerClient() as any diff --git a/src/app/api/v1/transactions/route.ts b/src/app/api/v1/transactions/route.ts index 9beab7e..00e20c3 100644 --- a/src/app/api/v1/transactions/route.ts +++ b/src/app/api/v1/transactions/route.ts @@ -10,8 +10,13 @@ export async function GET(req: NextRequest) { } const { searchParams } = new URL(req.url) - const limit = Math.min(parseInt(searchParams.get('limit') || '10'), 100) - const offset = parseInt(searchParams.get('offset') || '0') + let parsedLimit = parseInt(searchParams.get('limit') || '10', 10) + if (isNaN(parsedLimit) || parsedLimit < 1) parsedLimit = 10 + const limit = Math.min(parsedLimit, 100) + + let offset = parseInt(searchParams.get('offset') || '0', 10) + if (isNaN(offset) || offset < 0) offset = 0 + const status = searchParams.get('status') const paymentLinkId = searchParams.get('payment_link_id')