From f2411a19567b51efbdbdc69664d36cb76c31aeea Mon Sep 17 00:00:00 2001 From: bitterpanda Date: Mon, 1 Jun 2026 14:21:40 +0200 Subject: [PATCH 1/2] Trim user input before sending to detectSqlInjection --- lib/aikido/zen/scanners/sql_injection_scanner.rb | 2 +- test/aikido/zen/scanners/sql_injection_scanner_test.rb | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/aikido/zen/scanners/sql_injection_scanner.rb b/lib/aikido/zen/scanners/sql_injection_scanner.rb index 7c6d310c..8e01f6f0 100644 --- a/lib/aikido/zen/scanners/sql_injection_scanner.rb +++ b/lib/aikido/zen/scanners/sql_injection_scanner.rb @@ -54,7 +54,7 @@ def self.call(query:, dialect:, scan:, sink:, context:, operation:) def initialize(query, input, dialect) @query = query.downcase - @input = input.downcase + @input = input.downcase.strip @dialect = dialect end diff --git a/test/aikido/zen/scanners/sql_injection_scanner_test.rb b/test/aikido/zen/scanners/sql_injection_scanner_test.rb index f65f40b7..ba715a6c 100644 --- a/test/aikido/zen/scanners/sql_injection_scanner_test.rb +++ b/test/aikido/zen/scanners/sql_injection_scanner_test.rb @@ -218,6 +218,13 @@ def refute_attack(query, input = query, *args) assert_attack "SELECT id FROM users WHERE email = '' or 1=1 -- a'", "' OR 1=1 -- a" end + test "detects injection when user input has trailing spaces" do + assert_attack( + "INSERT INTO pets (name, owner) VALUES ('x', 'dummy'), ('injected', 'hacker'); --', 'owner')", + "x', 'dummy'), ('injected', 'hacker'); -- " + ) + end + test "it does not flag VIEW as an attack when it's a substring" do query = <<~SQL.chomp SELECT views.id AS view_id, view_settings.user_id, view_settings.settings From 6f3854df556f4fbd352a9de3aa71b0f742fd8d13 Mon Sep 17 00:00:00 2001 From: bitterpanda Date: Mon, 1 Jun 2026 14:38:06 +0200 Subject: [PATCH 2/2] Update test: strip normalizes whitespace-only wrappers around numbers After adding .strip to user input normalization, inputs like "\n123\n" are reduced to "123" which is correctly considered safe (alphanumeric). This is consistent with " 123 " (spaces) already being a refute_attack case. --- test/aikido/zen/scanners/sql_injection_scanner_test.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/aikido/zen/scanners/sql_injection_scanner_test.rb b/test/aikido/zen/scanners/sql_injection_scanner_test.rb index ba715a6c..413245b8 100644 --- a/test/aikido/zen/scanners/sql_injection_scanner_test.rb +++ b/test/aikido/zen/scanners/sql_injection_scanner_test.rb @@ -261,9 +261,9 @@ def refute_attack(query, input = query, *args) refute_attack "SELECT * WHERE id = 123 ", " 123 " end - test "flags invalid whitespace around numbers" do - assert_attack "SELECT * WHERE id = \n123\n", "\n123\n" - assert_attack "SELECT * WHERE id = \t123\t", "\t123\t" + test "ignores leading/trailing whitespace around numbers" do + refute_attack "SELECT * WHERE id = \n123\n", "\n123\n" + refute_attack "SELECT * WHERE id = \t123\t", "\t123\t" end test "ignores comma-separated list of numbers" do