Hi,
In "CargoUtils.php" line 665 there is the line $cdb->tableName( $tableName ) . ' ( ' .
IDatabase::tableName is not suitable for malicious input as it won't quote if it detects the string is already quoted, or if it contains some keywords (like ON). Its probably more appropriate to use $cdb->addQuotedIdentifier( $cdb->tableName( $tableName, 'plain' ) ); (Still not really perfect as it could skip the prefix in certain circumstances, but a whole lot better).
The fact that Cargo does not let you use double underscore in table name, and that you can't inject before the keyword TABLE (so no inserting CREATE OR REPLACE) does limit the sorts of evil you can do with this [or at least limitted me. Smarter people may be able to figure out bypasses]. However one potential malicious thing you can do is exploit CREATE TABLE of death, if the person is using MySQL prior to versions 5.5.58, 5.6.38 and 5.7.20, or MariaDB prior to version 5.5.57, 10.0.32, 10.1.26 and 10.2.7:
I did not actually test this, but in theory
{{#cargo_declare:
_table=éééééééééééééééééééééééééééééééééééééééééééééééééééééééééééééééé (id int PRIMARY KEY) ENGINE=InnoDB PARTITION BY RANGE (id) SUBPARTITION BY HASH (id) (PARTITION çççççççççççççççççççççççççççççççççççççççççççççççççççççççççççç VALUES LESS THAN (70));/* ON */--
}}[Note, that's using tabs not spaces].
will brick your db if your using a susceptible version of mysql/mariadb.