Skip to content

Vouch Request: Purvi09 — fix #3739 (realtime tags SQL injection) #4130

Description

@Purvi09

Why do you want to contribute?

I've been exploring the trigger.dev codebase and found a SQL injection vulnerability in the realtime runs API (#3739) — user-supplied tags were interpolated into the Electric where clause without escaping single quotes. I've already prepared a focused fix plus a unit test and a .server-changes/ note, in PR #4129 (auto-closed pending vouch). I'd like to be vouched so I can get that reviewed and continue contributing backend fixes.

Prior contributions or relevant experience

I've contributed to maximhq/bifrost with 2 merged PRs:

#4472 feat(mcp): add per-MCP-server tool execution timeout
#4418 fix: populate error message in OpenAI responses streaming error events

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions