The SQL scalar function clear_plugin_cache(plugin) in namespace/other_functions.go passes the caller-supplied plugin argument directly to path.Join and then to os.RemoveAll, with only an empty-string check as a guard. Because path.Join silently resolves .. segments, a low-privileged bearer-token holder can submit SELECT clear_plugin_cache('../../../../tmp/target') to the /v1/query HTTP endpoint and delete any directory reachable by the server process. In the verified scenario, a directory outside $XDG_CACHE_HOME/anyquery/plugins/ was successfully deleted, confirming full path-traversal exploitation.
The chrome_tabs plugin (and equivalent Brave/Edge/Safari variants) interpolates a SQL-controlled url value directly into an AppleScript template via fmt.Sprintf(newTabScript, url) at plugins/chrome/tabs.go:141 without any escaping, then passes the result to exec.Command("osascript", "-e", …). An authenticated anyquery user who can issue SQL INSERT INTO chrome_tabs statements — which requires local CLI access — can break out of the {URL:"…"} property record with a newline-containing payload and inject arbitrary AppleScript statements, including …
The chrome_tabs plugin (and equivalent Brave/Edge/Safari variants) interpolates a SQL-controlled url value directly into an AppleScript template via fmt.Sprintf(newTabScript, url) at plugins/chrome/tabs.go:141 without any escaping, then passes the result to exec.Command("osascript", "-e", …). An authenticated anyquery user who can issue SQL INSERT INTO chrome_tabs statements — which requires local CLI access — can break out of the {URL:"…"} property record with a newline-containing payload and inject arbitrary AppleScript statements, including …
The chrome_tabs plugin (and equivalent Brave/Edge/Safari variants) interpolates a SQL-controlled url value directly into an AppleScript template via fmt.Sprintf(newTabScript, url) at plugins/chrome/tabs.go:141 without any escaping, then passes the result to exec.Command("osascript", "-e", …). An authenticated anyquery user who can issue SQL INSERT INTO chrome_tabs statements — which requires local CLI access — can break out of the {URL:"…"} property record with a newline-containing payload and inject arbitrary AppleScript statements, including …
The chrome_tabs plugin (and equivalent Brave/Edge/Safari variants) interpolates a SQL-controlled url value directly into an AppleScript template via fmt.Sprintf(newTabScript, url) at plugins/chrome/tabs.go:141 without any escaping, then passes the result to exec.Command("osascript", "-e", …). An authenticated anyquery user who can issue SQL INSERT INTO chrome_tabs statements — which requires local CLI access — can break out of the {URL:"…"} property record with a newline-containing payload and inject arbitrary AppleScript statements, including …