From 7c625e4cee224407458bff53ebbd74d2098b4a01 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Fri, 1 May 2026 06:08:22 +0000 Subject: [PATCH] fix: validate and bound pagination limit and offset in API routes Added `isNaN` and negative value checks to `limit` and `offset` parsing across API routes (`v1/payment-links`, `v1/transactions`, `transactions`, `transactions/history`) to prevent `NaN` or invalid values from being passed to Supabase `.range()` queries, avoiding database errors and improving API reliability. Co-authored-by: Shreyassp002 <96625037+Shreyassp002@users.noreply.github.com> --- src/app/api/transactions/history/route.ts | 5 ++++- src/app/api/transactions/route.ts | 5 ++++- src/app/api/v1/payment-links/route.ts | 9 +++++++-- src/app/api/v1/transactions/route.ts | 10 ++++++++-- 4 files changed, 23 insertions(+), 6 deletions(-) diff --git a/src/app/api/transactions/history/route.ts b/src/app/api/transactions/history/route.ts index 62875f3..b9cecab 100644 --- a/src/app/api/transactions/history/route.ts +++ b/src/app/api/transactions/history/route.ts @@ -20,7 +20,10 @@ export async function GET(req: NextRequest) { const supabase = createServerClient() const { searchParams } = new URL(req.url) - const limit = Math.min(parseInt(searchParams.get('limit') || '50'), 100) + + let limit = parseInt(searchParams.get('limit') || '50') + if (isNaN(limit) || limit < 1) limit = 50 + limit = Math.min(limit, 100) // 1. Fetch Sent Transactions (where customer_wallet = walletAddress) const { data: sentTransactions, error: sentError } = await supabase diff --git a/src/app/api/transactions/route.ts b/src/app/api/transactions/route.ts index b619eb7..2afd681 100644 --- a/src/app/api/transactions/route.ts +++ b/src/app/api/transactions/route.ts @@ -19,7 +19,10 @@ export async function GET(req: NextRequest) { const supabase = createServerClient() const { searchParams } = new URL(req.url) const paymentLinkId = searchParams.get('payment_link_id') - const limit = Math.min(parseInt(searchParams.get('limit') || '50'), 100) + + let limit = parseInt(searchParams.get('limit') || '50') + if (isNaN(limit) || limit < 1) limit = 50 + limit = Math.min(limit, 100) // eslint-disable-next-line @typescript-eslint/no-explicit-any let query = (supabase.from('transactions') as any) diff --git a/src/app/api/v1/payment-links/route.ts b/src/app/api/v1/payment-links/route.ts index 03280f8..52ae6de 100644 --- a/src/app/api/v1/payment-links/route.ts +++ b/src/app/api/v1/payment-links/route.ts @@ -183,8 +183,13 @@ export async function GET(req: NextRequest) { } const { searchParams } = new URL(req.url) - const limit = Math.min(parseInt(searchParams.get('limit') || '10'), 100) - const offset = parseInt(searchParams.get('offset') || '0') + + let limit = parseInt(searchParams.get('limit') || '10') + if (isNaN(limit) || limit < 1) limit = 10 + limit = Math.min(limit, 100) + + let offset = parseInt(searchParams.get('offset') || '0') + if (isNaN(offset) || offset < 0) offset = 0 // eslint-disable-next-line @typescript-eslint/no-explicit-any const supabase = createServerClient() as any diff --git a/src/app/api/v1/transactions/route.ts b/src/app/api/v1/transactions/route.ts index 9beab7e..afbd7b0 100644 --- a/src/app/api/v1/transactions/route.ts +++ b/src/app/api/v1/transactions/route.ts @@ -10,8 +10,14 @@ export async function GET(req: NextRequest) { } const { searchParams } = new URL(req.url) - const limit = Math.min(parseInt(searchParams.get('limit') || '10'), 100) - const offset = parseInt(searchParams.get('offset') || '0') + + let limit = parseInt(searchParams.get('limit') || '10') + if (isNaN(limit) || limit < 1) limit = 10 + limit = Math.min(limit, 100) + + let offset = parseInt(searchParams.get('offset') || '0') + if (isNaN(offset) || offset < 0) offset = 0 + const status = searchParams.get('status') const paymentLinkId = searchParams.get('payment_link_id')