AikidoSec · bitterpanda63 · Jun 1, 2026 · Jun 1, 2026
diff --git a/lib/aikido/zen/scanners/sql_injection_scanner.rb b/lib/aikido/zen/scanners/sql_injection_scanner.rb
@@ -54,7 +54,7 @@ def self.call(query:, dialect:, scan:, sink:, context:, operation:)
 
       def initialize(query, input, dialect)
         @query = query.downcase
-        @input = input.downcase
+        @input = input.downcase.strip
         @dialect = dialect
       end
 

diff --git a/test/aikido/zen/scanners/sql_injection_scanner_test.rb b/test/aikido/zen/scanners/sql_injection_scanner_test.rb
@@ -218,6 +218,13 @@ def refute_attack(query, input = query, *args)
     assert_attack "SELECT id FROM users WHERE email = '' or 1=1 -- a'", "' OR 1=1 -- a"
   end
 
+  test "detects injection when user input has trailing spaces" do
+    assert_attack(
+      "INSERT INTO pets (name, owner) VALUES ('x', 'dummy'), ('injected', 'hacker'); --', 'owner')",
+      "x', 'dummy'), ('injected', 'hacker'); --    "
+    )
+  end
+
   test "it does not flag VIEW as an attack when it's a substring" do
     query = <<~SQL.chomp
       SELECT views.id AS view_id, view_settings.user_id, view_settings.settings
@@ -254,9 +261,9 @@ def refute_attack(query, input = query, *args)
     refute_attack "SELECT * WHERE id =   123  ", "  123  "
   end
 
-  test "flags invalid whitespace around numbers" do
-    assert_attack "SELECT * WHERE id = \n123\n", "\n123\n"
-    assert_attack "SELECT * WHERE id = \t123\t", "\t123\t"
+  test "ignores leading/trailing whitespace around numbers" do
+    refute_attack "SELECT * WHERE id = \n123\n", "\n123\n"
+    refute_attack "SELECT * WHERE id = \t123\t", "\t123\t"
   end
 
   test "ignores comma-separated list of numbers" do