fix(security): LIKE injection and unbounded queries

[SH20RAJ]

Sub-issue of #29364

Severity: MEDIUM-HIGH

Problems

1. packages/trpc/server/routers/viewer/bookings/get.handler.ts:1075-1100 — LIKE wildcards not escaped
2. packages/trpc/server/routers/viewer/users/_router.ts:57-62 — Unbounded user list query
3. packages/kysely/utils/json/traverse/index.ts:13 — Latent SQL injection via sql.raw()

Fix

1. Escape % and _ in LIKE operands
2. Add pagination and select to user list
3. Use parameterized values in traverseJSON

Contact: LinkedIn: /in/sh20raj

[Darshan3690]

Hi @SH20RAJ , I would like to work on this issue.

I checked the reported problems and this is the approach I’m planning to take:

Escape % and _ in LIKE queries to avoid wildcard injection issues.
Add pagination (limit and offset) and proper field selection for the user list query so it doesn’t fetch unlimited data.
Replace unsafe sql.raw() usage in traverseJSON with safer parameterized queries.
Add tests for:
LIKE wildcard escaping
pagination behavior
SQL injection related edge cases
Run lint and tests before submitting the PR.

I’ve worked on similar backend/security fixes before and would be happy to contribute to this one.