#103 · SQL injection in any D1 / PostgreSQL query
+240 pts on merge
Claim on GitLab
Submit a merge request that closes this issue to earn points on merge — bounties stack on the standard
+40 merge_pr award. New to the repo? See the
Contributing guide,
and Local Development & SSO
to run the app locally (
cp .dev.vars.example .dev.vars && pnpm dev, after rebasing on main) and fully test your change before opening the MR.
Description
Any query that interpolates user input as a string instead of using a parameterized placeholder. D1 must use .bind(); PostgreSQL on signal-bot must use parameterized clients.
Likely surfaces
- Any worker that builds queries from URL params, headers, or POST bodies
- Migration scripts that read user-controlled file content
- The bot's PostgreSQL queries
apps/scoreboard/src/api/leaderboard.tsfilter handling- Any string concatenation in
.prepare()calls
What doesn't qualify
- Read-only SQLi against tables that contain only public data (lower tier — high vs critical depends on data sensitivity)
- "Self-SQLi" against your own user record
--- *This is NOT a normal bounty. Do not post a public PoC or a public PR demonstrating the vulnerability. Submit findings via the bug-report form at https://score.irregulars.io/contribute#report-bug, or email security@irregularchat.com, or DM an admin on Signal. Awards are admin-determined based on impact: low=50 / medium=150 / high=300 / critical=500 / rce=750.*
Relevant files
No relevant files linked yet.
Hints
No hints yet.
Activity
No points have been awarded for this bounty yet.
Comments
Sign in to join the discussion.
No comments yet. Be the first to weigh in.