I think your understanding is correct. https://docs.google.com/document/d/1tJapdA7ZNwkU0NaK7p-em0XnpHqNE1pKIXw9hVJkIUg/edit?tab=t.0#heading=h.83zu2vb65i5v has more details.
On Fri, Jun 27, 2025 at 12:11 PM Ronoaldo Pereira <ronoa...@arki1.com> wrote: > Hi! I have a question about Apache Beam and SQL... A colleague asked me > and I have a reasoning about the subject, but I could not find anything > confirming or denying it so here it goes. > > Let's assume that there is corrupted data in our elements (either log > files, bad database records), and they have inside the element values some > kind of SQL Injection attempt like 'OR 1=1'. > > Does the Beam SQL implementation have any protections on this? Or, in > other words, do we need to worry about the previous scenario while > authoring pipelines with SQLTransform? > > My understanding is that this is not at risk because as far as I > understand it while testing the SQLTransform locally, it will convert the > SQL into Java PTransforms and as such, there is no dynamic query > construction while the pipeline is running. Therefore, there is no > situation in which there are fragments of query that could be causing > vulnerability. The situation I imagine some form of issue along SQL > Injection is if the attacker can somehow control the pipeline submission > (i.e., it can influentiate how the pipeline query is built while the job is > submitted) > > Do we have any part of the documentation that mentions something about > this? > > Thanks in advance for any help! >
