From 10e6cfc7a39237934e85c76d4a2a564f4c4cbe50 Mon Sep 17 00:00:00 2001
From: Aadesh Kheria <kheriaaadesh@gmail.com>
Date: Tue, 5 May 2026 12:53:38 -0700
Subject: [PATCH] Enhance qaId validation in MCP review routes to ensure it is
 a non-negative decimal integer

---
 .../src/app/api/latest/internal/mcp-review/delete/route.ts      | 2 +-
 .../app/api/latest/internal/mcp-review/update-qa-entry/route.ts | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/backend/src/app/api/latest/internal/mcp-review/delete/route.ts b/apps/backend/src/app/api/latest/internal/mcp-review/delete/route.ts
index 769742f9b..b36f4433b 100644
--- a/apps/backend/src/app/api/latest/internal/mcp-review/delete/route.ts
+++ b/apps/backend/src/app/api/latest/internal/mcp-review/delete/route.ts
@@ -13,7 +13,7 @@ export const POST = createSmartRouteHandler({
       project: adaptSchema,
     }).defined(),
     body: yupObject({
-      qaId: yupString().defined(),
+      qaId: yupString().matches(/^\d+$/, "qaId must be a non-negative decimal integer").defined(),
     }).defined(),
     method: yupString().oneOf(["POST"]).defined(),
   }),
diff --git a/apps/backend/src/app/api/latest/internal/mcp-review/update-qa-entry/route.ts b/apps/backend/src/app/api/latest/internal/mcp-review/update-qa-entry/route.ts
index 573dbf411..66bf5529d 100644
--- a/apps/backend/src/app/api/latest/internal/mcp-review/update-qa-entry/route.ts
+++ b/apps/backend/src/app/api/latest/internal/mcp-review/update-qa-entry/route.ts
@@ -13,7 +13,7 @@ export const POST = createSmartRouteHandler({
       project: adaptSchema,
     }).defined(),
     body: yupObject({
-      qaId: yupString().defined(),
+      qaId: yupString().matches(/^\d+$/, "qaId must be a non-negative decimal integer").defined(),
       question: yupString().defined(),
       answer: yupString().defined(),
       publish: yupBoolean().defined(),