From 46fd3f065d83a653427e9c7c80cf22bcc27964e7 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 6 May 2026 06:15:05 +0000
Subject: [PATCH] fix(security): apply valid range limits to api pagination
 input

Co-authored-by: Shreyassp002 <96625037+Shreyassp002@users.noreply.github.com>
---
 src/app/api/v1/payment-links/route.ts | 6 ++++--
 src/app/api/v1/transactions/route.ts  | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/app/api/v1/payment-links/route.ts b/src/app/api/v1/payment-links/route.ts
index 03280f8..56ff9b8 100644
--- a/src/app/api/v1/payment-links/route.ts
+++ b/src/app/api/v1/payment-links/route.ts
@@ -183,8 +183,10 @@ export async function GET(req: NextRequest) {
     }
 
     const { searchParams } = new URL(req.url)
-    const limit = Math.min(parseInt(searchParams.get('limit') || '10'), 100)
-    const offset = parseInt(searchParams.get('offset') || '0')
+    const parsedLimit = parseInt(searchParams.get('limit') || '10')
+    const limit = isNaN(parsedLimit) || parsedLimit <= 0 ? 10 : Math.min(parsedLimit, 100)
+    const parsedOffset = parseInt(searchParams.get('offset') || '0')
+    const offset = isNaN(parsedOffset) || parsedOffset < 0 ? 0 : parsedOffset
 
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     const supabase = createServerClient() as any
diff --git a/src/app/api/v1/transactions/route.ts b/src/app/api/v1/transactions/route.ts
index 9beab7e..23ba7a9 100644
--- a/src/app/api/v1/transactions/route.ts
+++ b/src/app/api/v1/transactions/route.ts
@@ -10,8 +10,10 @@ export async function GET(req: NextRequest) {
     }
 
     const { searchParams } = new URL(req.url)
-    const limit = Math.min(parseInt(searchParams.get('limit') || '10'), 100)
-    const offset = parseInt(searchParams.get('offset') || '0')
+    const parsedLimit = parseInt(searchParams.get('limit') || '10')
+    const limit = isNaN(parsedLimit) || parsedLimit <= 0 ? 10 : Math.min(parsedLimit, 100)
+    const parsedOffset = parseInt(searchParams.get('offset') || '0')
+    const offset = isNaN(parsedOffset) || parsedOffset < 0 ? 0 : parsedOffset
     const status = searchParams.get('status')
     const paymentLinkId = searchParams.get('payment_link_id')