Ignore sanitize_sql_like in SQL

lib/brakeman/checks/check_sql.rb

@@ -572,7 +572,7 @@ def check_string_arg exp
   end
 
   IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
-    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
+    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array, :sanitize_sql_like,
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,

test/apps/rails6/app/models/group.rb

@@ -7,4 +7,9 @@ def date_in_sql
     date = 30.days.ago
     Arel.sql("created_at > '#{date}'")
   end
+
+  def ar_sanitize_sql_like(query)
+    query = ActiveRecord::Base.sanitize_sql_like(query) # escaped variable
+    Arel.sql("name ILIKE '%#{query}%'")
+  end
 end

test/tests/rails6.rb

@@ -134,6 +134,20 @@ def test_sql_injection_date_integer_target_false_positive
       :user_input => s(:call, s(:call, s(:lit, 30), :days), :ago)
   end
 
+
+  def test_sql_injection_sanitize_sql_like
+    assert_no_warning :type => :warning,
+      :warning_code => 0,
+      :fingerprint => "8dde11c95a0f3acb4f982ff6554ac3ba821334ee04aee7f1fb0ea01c8919baad",
+      :warning_type => "SQL Injection",
+      :line => 13,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 1,
+      :relative_path => "app/models/group.rb",
+      :code => s(:call, s(:const, :Arel), :sql, s(:dstr, "name ILIKE '%", s(:evstr, s(:call, s(:colon2, s(:const, :ActiveRecord), :Base), :sanitize_sql_like, s(:lvar, :query))), s(:str, "%'"))),
+      :user_input => s(:call, s(:colon2, s(:const, :ActiveRecord), :Base), :sanitize_sql_like, s(:lvar, :query))
+  end
+
   def test_cross_site_scripting_sanity
     assert_warning :type => :template,
       :warning_code => 2,