Sanitization of named parameters in athena.read_sql_query

[frenchytheasian]

If I am reading the code for wr.athena.read_sql_query correctly, it looks like sanitization is not performed on named queries which are resolved client side. I think this would be a nice enhancement to the function, but am open to reason or arguments on leaving it out. If this is something that would be valuable in wrangler, I can work on a PR for this.

[jaidisido]

Hi @frenchytheasian, could you please share a reference to the code where you believe Athena named queries are used within wr.athena.read_sql_query? AFAIK the user must supply the sql string at all times which is then sanitised.

[frenchytheasian]

@jaidisido Sorry I misspoke in my original message. I don't believe sanitization is supported for named parameters (not named queries). The docs say that the formatter is applied client side here. It does not look any string values are sanitized for malicious characters.

[jaidisido]

The _process_sql_parameters method is doing some validation around typing but not malicious characters. Additional sanitisation is always welcome so please feel free to contribute, thanks!

[frenchytheasian]

@jaidisido Sounds good. Thanks for the responses! I'll try and tackle this hopefully soonish, but I won't make any promises on a timeline.

[github-actions[bot]]

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 7 days it will automatically be closed.