From 43a3efc94ffc4e6066c569d1cb05558646dde823 Mon Sep 17 00:00:00 2001
From: Davide Grilli <davide.grilli@outlook.com>
Date: Tue, 19 May 2026 10:12:11 +0200
Subject: [PATCH] fix(security): clamp pagination parameters to prevent
 negative or overflow values

Replace raw parseInt() with Math.max/min bounds: page >= 1, limit 1-100.
Affects public products, admin orders, and admin reviews endpoints.
---
 app/src/app/api/admin/orders/route.ts  | 4 ++--
 app/src/app/api/admin/reviews/route.ts | 4 ++--
 app/src/app/api/products/route.ts      | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/src/app/api/admin/orders/route.ts b/app/src/app/api/admin/orders/route.ts
index 302a97f..197b8cc 100644
--- a/app/src/app/api/admin/orders/route.ts
+++ b/app/src/app/api/admin/orders/route.ts
@@ -13,8 +13,8 @@ export async function GET(request: NextRequest) {
   if (!user) return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
 
   const { searchParams } = new URL(request.url)
-  const page = parseInt(searchParams.get('page') || '1')
-  const limit = parseInt(searchParams.get('limit') || '20')
+  const page = Math.max(1, parseInt(searchParams.get('page') || '1') || 1)
+  const limit = Math.min(100, Math.max(1, parseInt(searchParams.get('limit') || '20') || 20))
   const status = searchParams.get('status')
 
   const skip = (page - 1) * limit
diff --git a/app/src/app/api/admin/reviews/route.ts b/app/src/app/api/admin/reviews/route.ts
index ff5bf84..310f727 100644
--- a/app/src/app/api/admin/reviews/route.ts
+++ b/app/src/app/api/admin/reviews/route.ts
@@ -13,8 +13,8 @@ export async function GET(request: NextRequest) {
   if (!user) return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
 
   const { searchParams } = new URL(request.url)
-  const page = parseInt(searchParams.get('page') || '1')
-  const limit = parseInt(searchParams.get('limit') || '20')
+  const page = Math.max(1, parseInt(searchParams.get('page') || '1') || 1)
+  const limit = Math.min(100, Math.max(1, parseInt(searchParams.get('limit') || '20') || 20))
   const status = searchParams.get('status')
 
   const skip = (page - 1) * limit
diff --git a/app/src/app/api/products/route.ts b/app/src/app/api/products/route.ts
index e9e4396..5c35c78 100644
--- a/app/src/app/api/products/route.ts
+++ b/app/src/app/api/products/route.ts
@@ -3,8 +3,8 @@ import { prisma } from '@/lib/prisma'
 
 export async function GET(request: NextRequest) {
   const { searchParams } = new URL(request.url)
-  const page = parseInt(searchParams.get('page') || '1')
-  const limit = parseInt(searchParams.get('limit') || '20')
+  const page = Math.max(1, parseInt(searchParams.get('page') || '1') || 1)
+  const limit = Math.min(100, Math.max(1, parseInt(searchParams.get('limit') || '20') || 20))
   const category = searchParams.get('category')
   const search = searchParams.get('search')