fix: sanitize non-numeric pagination query parameters#375
Open
Clinton6801 wants to merge 8 commits into
Open
Conversation
Fixes issue geevapp#358 where non-numeric pagination parameters (page, limit, skip) caused 500 errors across list endpoints. Changes: - Add parsePaginationParam() helper in lib/validation.ts to safely parse and validate pagination parameters with configurable min/max bounds - Replaces unsafe parseInt() calls across all affected endpoints: * /api/posts * /api/posts/[id]/entries * /api/posts/[id]/comments * /api/users/[id]/followers * /api/users/[id]/following * /api/wallet/transactions * /api/leaderboard * /api/notifications * /api/discovery The helper function: - Returns default values when parsing fails (NaN result) - Validates minimum and maximum bounds - Prevents invalid values from reaching Prisma queries - Gracefully handles edge cases without throwing errors
Updated tests to reflect new pagination behavior: - Invalid/non-numeric parameters now use sensible defaults instead of 400 error - Added test for handling non-numeric pagination parameters - Tests now verify default values are used for invalid input - Maintains validation for other query parameters (e.g., rankBy, period)
Fixed parse error in tests/api/discovery.test.ts where the describe block was missing its closing brace. This was causing vitest to fail with: [PARSE_ERROR] Expected } but found EOF
|
@Clinton6801 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
…g in pagination params
3m1n3nc3
requested changes
Jun 25, 2026
3m1n3nc3
left a comment
3m1n3nc3
left a comment
Contributor
There was a problem hiding this comment.
Please review and fix the failing CI
…ters in discovery route
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #358
Description
Fixes issue #358 where non-numeric pagination query parameters were causing 500 errors across multiple list endpoints.
Problem
Several API endpoints were using
parseInt()directly on query parameters without proper validation. When clients passed non-numeric values (e.g.,?page=abc&limit=xyz),parseInt()would returnNaN, which Prisma would reject with a 500 Internal Server Error instead of gracefully handling the invalid input.Solution
Created a reusable
parsePaginationParam()utility function inlib/validation.tsthat:Changes Made
parsePaginationParam()helper functionparseInt()callsAffected Endpoints
/api/posts- Fixedpageandlimitparameters/api/posts/[id]/entries- Fixedpageandlimitparameters/api/posts/[id]/comments- Fixedpageandlimitparameters/api/users/[id]/followers- Fixedlimitandskipparameters/api/users/[id]/following- Fixedlimitandskipparameters/api/wallet/transactions- Fixedpageandlimitparameters/api/leaderboard- Fixedpageandlimitparameters/api/notifications- FixedpageandpageSizeparameters/api/discovery- FixedpageandlimitparametersBehavior Changes
Before: Non-numeric pagination params → 500 error
After: Non-numeric pagination params → sensible defaults (page=1, limit=10 or 20, skip=0)
Testing Recommendations
?page=abc,?limit=xyz,?skip=invalid?page=0,?limit=-5,?limit=999Files Changed