From 7becd972aacf07f4d77315d566fb4f7ffae6f4e2 Mon Sep 17 00:00:00 2001
From: bitterpanda <bitterpanda@proton.me>
Date: Mon, 1 Jun 2026 14:21:34 +0200
Subject: [PATCH] Trim user input before sending to detectSQLInjection

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../sql-injection/detectSQLInjection.test.ts               | 7 +++++++
 .../vulnerabilities/sql-injection/detectSQLInjection.ts    | 5 +++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/library/vulnerabilities/sql-injection/detectSQLInjection.test.ts b/library/vulnerabilities/sql-injection/detectSQLInjection.test.ts
index 7b46b2f9a..83e65356e 100644
--- a/library/vulnerabilities/sql-injection/detectSQLInjection.test.ts
+++ b/library/vulnerabilities/sql-injection/detectSQLInjection.test.ts
@@ -329,6 +329,13 @@ t.test("It works with non-UTF-8 characters and emojis", async () => {
   isNotSqlInjection("SELECT * FROM users WHERE id = 'a 🛡️'", "a 🛡️");
 });
 
+t.test("detects injection with trailing spaces in user input", async () => {
+  isSqlInjection(
+    "INSERT INTO pets (name, owner) VALUES ('x', 'dummy'), ('injected', 'hacker'); --', 'owner')",
+    "x', 'dummy'), ('injected', 'hacker'); --    "
+  );
+});
+
 const files = [
   // Taken from https://github.com/payloadbox/sql-injection-payload-list/tree/master
   join(__dirname, "payloads", "Auth_Bypass.txt"),
diff --git a/library/vulnerabilities/sql-injection/detectSQLInjection.ts b/library/vulnerabilities/sql-injection/detectSQLInjection.ts
index 8dd5e9af9..0f84b6ad1 100644
--- a/library/vulnerabilities/sql-injection/detectSQLInjection.ts
+++ b/library/vulnerabilities/sql-injection/detectSQLInjection.ts
@@ -17,13 +17,14 @@ export function detectSQLInjection(
   userInput: string,
   dialect: SQLDialect
 ): SQLInjectionDetectionResultType {
-  if (shouldReturnEarly(query, userInput)) {
+  const userInputNormalized = userInput.toLowerCase().trim();
+  if (shouldReturnEarly(query, userInputNormalized)) {
     return SQLInjectionDetectionResult.SAFE;
   }
 
   const code = wasm_detect_sql_injection(
     query.toLowerCase(),
-    userInput.toLowerCase(),
+    userInputNormalized,
     dialect.getWASMDialectInt()
   );