Cap-go - SQL Injection in Cloudflare Analytics Engine Queries via cloudflare.ts

An authenticated attacker with a read-level API key sends a crafted POST request to either `/private/devices` or `/private/stats`. The `deviceIds` field is validated as `z.array(z.string())`, which only checks the type, not the content, so SQL payloads pass validation. The attacker can inject arbitrary SQL into Cloudflare Analytics Engine queries, enabling cross-tenant data access and exfiltration of analytics data belonging to other users or applications [ref_id=1].

The vulnerability resides in `supabase/functions/_backend/utils/cloudflare.ts`. Multiple user-controlled parameters (`deviceIds`, `search`, `version_name`, `cursor`, `actions`, `app_id`) are interpolated directly into SQL query strings without sanitization or parameterization. The most critical injection point is at lines 668-669 where `deviceIds` are joined without any quoting or escaping [ref_id=1].

The advisory recommends creating a `sanitizeSqlString()` utility that escapes single quotes by doubling them (`'` → `''`) and applying strict input validation regexes (e.g., `/^[a-zA-Z0-9_\-:.]+$/` for device IDs) to all user-controlled values. This prevents SQL injection by ensuring that attacker-supplied strings cannot break out of the intended query structure [ref_id=1].