julien040/anyquery CVE Request 3: Path Traversal in read_parquet Module

 

  • Title: Path Traversal Vulnerability in read_parquet Module Due to Unvalidated File Path

  • Affected Componentmodule/read_parquet.goPrepare Method

  • Attack Vector: Malicious SQL query, such as SELECT * FROM read_parquet('../../../../../etc/shadow' AS path).

  • Description: The read_parquet table function uses file paths from user input without checking for traversal, which can lead to unauthorized file reads.

  • Vulnerability Type: Path Traversal (CWE-22)

  • Impact: Any file accessible to anyquery could be exposed, including highly sensitive system and application data.

  • Suggested Fix: Normalize the input path using filepath.Clean, resolve it absolutely, and enforce that it stays within a defined base path.

  •  
posted @ 2025-06-17 21:03  Aibot  阅读(10)  评论(0)    收藏  举报