False negative SQLi using map

[tsigouris007]

Background

Brakeman version: 5.1.2
Rails version: 6.1.4.1
Ruby version: 2.5.5

Rails application code

Cannot disclose the full code but I can disclose the offending part which seems pretty clear.

    if params[:search_text].present?
      if params[:exact_match].presence == 'true'
        @quotes = @quotes.where(reply: params[:search_text])
      else
        search_query = params[:search_text].split(' ').
          map { |word| "CONCAT(' ', reply, ' ') LIKE '% #{word} %'" }.
          join(' AND ')
        @quotes = @quotes.where(search_query)
      end
    end

Issue

False negative SQLi using .map.
This is actually a legit SQL Injection point but brakeman fails to catch it.

[presidentbeef]

Haven't looked at this in-depth yet, but it's possible Brakeman doesn't know what @quotes is and that's why it's failing to catch it.

[tsigouris007]

Hello @presidentbeef ,
quotes are defined earlier as:

class Earth::QuotesPresenter
  attr_reader :quotes

  def fetch
    @quotes = Quote.all

    # SOME OTHER CODE

    if params[:search_text].present?
      if params[:exact_match].presence == 'true'
        @quotes = @quotes.where(reply: params[:search_text])
      else
        search_query = params[:search_text].split(' ').
          map { |word| "CONCAT(' ', reply, ' ') LIKE '% #{word} %'" }.
          join(' AND ')
        @quotes = @quotes.where(search_query)
      end
    end
  end

Then you hit the URL using search_text=SQLI (avoiding spaces because they are split) and exact_match=false.
Brakeman is being run on the whole project and not only on this file so I guess the @quotes variable is being resolved. Could it not be resolved by brakeman somehow?
Because in my rails console when I query for pry(main)> Quote.all it properly returns all quotes from the database and when running the project the results are presented properly inside the page.