From 6d55c2689d92079aee510cab29e76815e3dedb94 Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Thu, 7 May 2026 06:11:27 +0000 Subject: [PATCH] fix(security): sanitize api pagination parameters Category: Security Priority: P1 What: Added explicit `isNaN` validation and lower bound checks for `limit` and `offset` query parameters across transaction and payment link API endpoints (`/api/v1/payment-links`, `/api/v1/transactions`, `/api/transactions`, `/api/transactions/history`). Why: Passing unvalidated `NaN` or negative values to Supabase `.range()` or `.limit()` caused unhandled errors, crashing the route and creating DoS vulnerability vectors. Impact: Improved API resilience by safely falling back to defaults (limit 10/50, offset 0) and preventing database crashes from malformed inputs. Verification: Evaluated `npm run lint` and `npm run build` which passed successfully. Co-authored-by: Shreyassp002 <96625037+Shreyassp002@users.noreply.github.com> --- src/app/api/transactions/history/route.ts | 3 ++- src/app/api/transactions/route.ts | 3 ++- src/app/api/v1/payment-links/route.ts | 6 ++++-- src/app/api/v1/transactions/route.ts | 6 ++++-- 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/src/app/api/transactions/history/route.ts b/src/app/api/transactions/history/route.ts index 62875f3..719dffb 100644 --- a/src/app/api/transactions/history/route.ts +++ b/src/app/api/transactions/history/route.ts @@ -20,7 +20,8 @@ export async function GET(req: NextRequest) { const supabase = createServerClient() const { searchParams } = new URL(req.url) - const limit = Math.min(parseInt(searchParams.get('limit') || '50'), 100) + const parsedLimit = parseInt(searchParams.get('limit') || '50') + const limit = isNaN(parsedLimit) || parsedLimit < 1 ? 50 : Math.min(parsedLimit, 100) // 1. Fetch Sent Transactions (where customer_wallet = walletAddress) const { data: sentTransactions, error: sentError } = await supabase diff --git a/src/app/api/transactions/route.ts b/src/app/api/transactions/route.ts index b619eb7..81608df 100644 --- a/src/app/api/transactions/route.ts +++ b/src/app/api/transactions/route.ts @@ -19,7 +19,8 @@ export async function GET(req: NextRequest) { const supabase = createServerClient() const { searchParams } = new URL(req.url) const paymentLinkId = searchParams.get('payment_link_id') - const limit = Math.min(parseInt(searchParams.get('limit') || '50'), 100) + const parsedLimit = parseInt(searchParams.get('limit') || '50') + const limit = isNaN(parsedLimit) || parsedLimit < 1 ? 50 : Math.min(parsedLimit, 100) // eslint-disable-next-line @typescript-eslint/no-explicit-any let query = (supabase.from('transactions') as any) diff --git a/src/app/api/v1/payment-links/route.ts b/src/app/api/v1/payment-links/route.ts index 03280f8..8deb215 100644 --- a/src/app/api/v1/payment-links/route.ts +++ b/src/app/api/v1/payment-links/route.ts @@ -183,8 +183,10 @@ export async function GET(req: NextRequest) { } const { searchParams } = new URL(req.url) - const limit = Math.min(parseInt(searchParams.get('limit') || '10'), 100) - const offset = parseInt(searchParams.get('offset') || '0') + const parsedLimit = parseInt(searchParams.get('limit') || '10') + const limit = isNaN(parsedLimit) || parsedLimit < 1 ? 10 : Math.min(parsedLimit, 100) + const parsedOffset = parseInt(searchParams.get('offset') || '0') + const offset = isNaN(parsedOffset) || parsedOffset < 0 ? 0 : parsedOffset // eslint-disable-next-line @typescript-eslint/no-explicit-any const supabase = createServerClient() as any diff --git a/src/app/api/v1/transactions/route.ts b/src/app/api/v1/transactions/route.ts index 9beab7e..6d0d7fe 100644 --- a/src/app/api/v1/transactions/route.ts +++ b/src/app/api/v1/transactions/route.ts @@ -10,8 +10,10 @@ export async function GET(req: NextRequest) { } const { searchParams } = new URL(req.url) - const limit = Math.min(parseInt(searchParams.get('limit') || '10'), 100) - const offset = parseInt(searchParams.get('offset') || '0') + const parsedLimit = parseInt(searchParams.get('limit') || '10') + const limit = isNaN(parsedLimit) || parsedLimit < 1 ? 10 : Math.min(parsedLimit, 100) + const parsedOffset = parseInt(searchParams.get('offset') || '0') + const offset = isNaN(parsedOffset) || parsedOffset < 0 ? 0 : parsedOffset const status = searchParams.get('status') const paymentLinkId = searchParams.get('payment_link_id')