Trim user input before sending to detect_sql_injection

bitterpanda63 · bitterpanda63 · commit 3734f287bf78 · 2026-06-01T14:54:48.000+02:00
diff --git a/aikido_zen/vulnerabilities/sql_injection/__init__.py b/aikido_zen/vulnerabilities/sql_injection/__init__.py
@@ -16,7 +16,7 @@ def detect_sql_injection(query, user_input, dialect):
     """
     try:
         query_l = query.lower()
-        userinput_l = user_input.lower()
+        userinput_l = user_input.lower().strip()
         if should_return_early(query_l, userinput_l):
             return False
 
diff --git a/aikido_zen/vulnerabilities/sql_injection/init_test.py b/aikido_zen/vulnerabilities/sql_injection/init_test.py
@@ -413,6 +413,13 @@ def test_function_calls_as_sql_injections():
     is_sql_injection("€foobar()", "€foobar()")
 
 
+def test_trimmed_user_input_bypass():
+    is_sql_injection(
+        "INSERT INTO pets (name, owner) VALUES ('x', 'dummy'), ('injected', 'hacker'); --', 'owner')",
+        "x', 'dummy'), ('injected', 'hacker'); --    ",
+    )
+
+
 def file_paths():
     script_dir = os.path.dirname(__file__)
     return [
