fix: Validate queue names #40290
fix: Validate queue names #40290
Conversation
|
This pull request has been ignored for the connected project Preview Branches by Supabase. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
6 Skipped Deployments
|
|
Studio E2E Results
Artifacts: https://github.com/supabase/supabase/actions/runs/19226474033 Last updated: Monday 10, November, 2025 10:05:12 (UTC) |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This PR is being reviewed by Cursor Bugbot
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| 'Invalid queue name: must contain only alphanumeric characters, underscores, and hyphens' | ||
| ) | ||
| } | ||
|
|
There was a problem hiding this comment.
Bug: SQL Injection Through Unvalidated Inputs
The payload and delay parameters are directly interpolated into the SQL query without validation or proper escaping, creating SQL injection vulnerabilities. While queueName is now validated, user-controlled payload strings and numeric delay values can be exploited to inject malicious SQL. The same pattern affects messageId and duration parameters in other mutations.
Issue within the user supplied queue name parameter
Fixes SEC-583
Note
Introduces shared queue name schema/validation, replaces queryName with queueName, and validates names across queue APIs before executing SQL.
QueryNameSchemaandisQueueNameValidinQueues.utils.QueryNameSchematoCreateQueueSheetformname.queryNametoqueueNamein message actions and hooks.archive,read,delete,send,purge,metrics, andmessagesinfinite query; block invalid names before SQL.MessageDetailsPanelactions to passqueueName.preciseMetricsSqlQuery,estimateMetricsSqlQuery).Written by Cursor Bugbot for commit b465a92. This will update automatically on new commits. Configure here.