alt Hacker NewsNice SQLi vulnerability you got there ;-)
> making this project was the most fun I have had in some time haha!
> sorryyyyy for vibe coding it though. Peace. I am only human after all […]
Well, yes, of course the whole app was written by an LLM. I’m not surprised at all.
---
Request:
POST /?user=play&add_http_cors_header=1 HTTP/1.1
Host: play.clickhouse.com
Content-Type: text/plain;charset=UTF-8
User-Agent: Mozilla/5.0 (KHTML, like Gecko) Chrome/109.0.5414.120
Accept: */*
Origin: https://serjaimelannister.github.io
Referer: https://serjaimelannister.github.io/
SELECT username, total_words, global_rank, total_active_users,
concat(toString(global_rank), ' / ', toString(total_active_users)) AS placement,
round(100 * (1 - (global_rank / total_active_users)), 2) AS percentile
FROM (
SELECT by AS username, sum(length(splitByWhitespace(text))) AS total_words,
rank() OVER (ORDER BY sum(length(splitByWhitespace(text))) DESC) AS global_rank,
count(*) OVER () AS total_active_users
FROM hackernews_history WHERE type = 'comment' AND deleted = 0 AND notEmpty(by)
GROUP BY by
) WHERE username = '' OR 1=1;--' FORMAT JSON
This message is too large to display
There's no vulnerability here.
This is a client-side GitHub Pages app. GitHub Pages doesn't do server-side SQL execution.
As your POST request shows, it's querying the hackernews_history table on Clickhouse Playground which is a big read-only demo environment.
The information is public. "I can get the API wrapper to output more data" might be a quirk but it doesn't have security impact.
https://play.clickhouse.com/play?user=play
https://clickhouse.com/docs/getting-started/playground
https://clickhouse.com/blog/announcing-the-new-sql-playgroun...