Fix false positive for single or double quotes that are safely escaped

src/helpers/find_all_matches.rs

@@ -0,0 +1,12 @@
+pub fn find_all_matches(haystack: &str, needle: &str) -> Vec<usize> {
+    let mut positions = Vec::new();
+    let mut start = 0;
+
+    while let Some(pos) = haystack[start..].find(needle) {
+        let match_pos = start + pos;
+        positions.push(match_pos);
+        start = match_pos + 1;
+    }
+
+    positions
+}

src/helpers/find_all_matches_test.rs

@@ -0,0 +1,67 @@
+#[cfg(test)]
+mod tests {
+    use crate::helpers::find_all_matches::find_all_matches;
+
+    #[test]
+    fn test_find_all_matches() {
+        let haystack = "hello world hello world hello world";
+        let needle = "world";
+        let expected = vec![6, 18, 30];
+        let result = find_all_matches(haystack, needle);
+        assert_eq!(result, expected);
+    }
+
+    #[test]
+    fn test_no_matches() {
+        let haystack = "hello world hello world hello world";
+        let needle = "foo";
+        let expected = vec![];
+        let result = find_all_matches(haystack, needle);
+        assert_eq!(result, expected);
+    }
+
+    #[test]
+    fn test_empty_haystack() {
+        let haystack = "";
+        let needle = "world";
+        let expected = vec![];
+        let result = find_all_matches(haystack, needle);
+        assert_eq!(result, expected);
+    }
+
+    #[test]
+    fn test_empty_needle() {
+        let haystack = "hello world hello world hello world";
+        let needle = "";
+        let expected = vec![];
+        let result = find_all_matches(haystack, needle);
+        assert_eq!(result, expected);
+    }
+
+    #[test]
+    fn test_empty_haystack_and_needle() {
+        let haystack = "";
+        let needle = "";
+        let expected = vec![];
+        let result = find_all_matches(haystack, needle);
+        assert_eq!(result, expected);
+    }
+
+    #[test]
+    fn test_single_char() {
+        let haystack = "hello world hello world hello world";
+        let needle = "w";
+        let expected = vec![6, 18, 30];
+        let result = find_all_matches(haystack, needle);
+        assert_eq!(result, expected);
+    }
+
+    #[test]
+    fn test_overlapping_matches() {
+        let haystack = "aaa";
+        let needle = "aa";
+        let expected = vec![0, 1];
+        let result = find_all_matches(haystack, needle);
+        assert_eq!(result, expected);
+    }
+}

src/helpers/mod.rs

@@ -1 +1,2 @@
 pub mod diff_in_vec_len;
+pub mod find_all_matches;

src/sql_injection/detect_sql_injection.rs

@@ -2,6 +2,7 @@ use super::have_comments_changed::have_comments_changed;
 use super::is_common_sql_string::is_common_sql_string;
 use super::tokenize_query::tokenize_query;
 use crate::diff_in_vec_len;
+use crate::helpers::find_all_matches::find_all_matches;
 use sqlparser::tokenizer::Token;
 
 const SPACE_CHAR: char = ' ';
@@ -26,6 +27,40 @@ pub fn detect_sql_injection_str(query: &str, userinput: &str, dialect: i32) -> b
         return false;
     }
 
+    // Special case for single or double quotes at start and/or end of user input
+    // Normally if the user input is properly escaped, we wouldn't find an exact match in the query
+    // However, if the user input is `'value` and the single quote is escaped with another single quote
+    // `'value` becomes `'''value'` in the query so we still find an exact match
+    // (vice versa for double quotes)
+    if userinput.contains("'") || userinput.contains('"') {
+        let mut matches = find_all_matches(query, userinput).len();
+
+        fn is_safely_escaped(input: &str, userinput: &str, quote: char) -> bool {
+            let quoted_start = format!("{quote}{userinput}");
+            let quoted_end = format!("{userinput}{quote}");
+            let fully_quoted = format!("{quote}{userinput}{quote}");
+
+            input == quoted_start || input == quoted_end || input == fully_quoted
+        }
+
+        for token in tokens.iter() {
+            match token {
+                Token::SingleQuotedString(s) if is_safely_escaped(s, userinput, '\'') => {
+                    matches -= 1
+                }
+                Token::DoubleQuotedString(s) if is_safely_escaped(s, userinput, '"') => {
+                    matches -= 1
+                }
+                _ => {}
+            }
+        }
+
+        if matches == 0 {
+            // All matches are safely escaped, not an injection.
+            return false;
+        }
+    }
+
     // Remove leading and trailing spaces from userinput :
     let trimmed_userinput = userinput.trim_matches(SPACE_CHAR);
 

src/sql_injection/detect_sql_injection_test.rs

@@ -691,4 +691,29 @@ mod tests {
         );
         is_injection!("SELECT * FROM users WHERE id IN (-1,571,639)", "-1,571,639");
     }
+
+    #[test]
+    fn test_partial_match_single_quote() {
+        let starts_with = r#"
+            SELECT "foo" WHERE "bar" = '''; sleep 15 ;"'
+        "#;
+
+        // r#"..."# is a raw string literal
+        not_injection!(starts_with, r#"'; sleep 15 ;""#);
+    }
+
+    #[test]
+    fn test_multiple_partial_match_single_quote() {
+        not_injection!("SELECT '''abc', '''abc' FROM table", "'abc");
+        not_injection!("SELECT 'abc''', 'abc''' FROM table", "abc'");
+        not_injection!("SELECT '''abc''', '''abc''' FROM table", "'abc'");
+    }
+
+    #[test]
+    fn test_multiple_partial_match_double_quote() {
+        // r#"..."# is a raw string literal
+        not_injection!(r#"SELECT """"abc", """"abc"" FROM table"#, r#""abc"#);
+        not_injection!(r#"SELECT "abc"""", "abc""" FROM table"#, r#"abc""#);
+        not_injection!(r#"SELECT """"abc""", """"abc"" FROM table"#, r#""abc"#);
+    }
 }