[CRITICAL] SQL Injection Vulnerability in Dynamic Table Name

Why this matters:

• DESTINATION_TABLE comes from environment variables and is used directly in sql.id()
• If an attacker controls the environment variable, they could inject malicious SQL
• The sql.id() function is designed for identifiers but doesn't validate the input is a safe table name

Recommended fix:
Validate that DESTINATION_TABLE matches expected table names before using it in SQL:

// At the top of the file or in config validation
const VALID_TABLE_NAMES = [MATOMO_TABLE_NAME, PARTITIONED_MATOMO_TABLE_NAME]

if (!VALID_TABLE_NAMES.includes(DESTINATION_TABLE)) {
  throw new Error(`Invalid DESTINATION_TABLE: ${DESTINATION_TABLE}. Must be one of: ${VALID_TABLE_NAMES.join(', ')}`)
}

Alternatively, use a safer approach by directly referencing the validated constant rather than passing through sql.id().

If an attacker has control over our env variables we're in bigger trouble than that anyway