From c2abcbc69b220cae848c09889d15d87bfec9187d Mon Sep 17 00:00:00 2001
From: Justin Collins <justin@presidentbeef.com>
Date: Wed, 15 Dec 2021 20:41:58 -0800
Subject: [PATCH] Do not treat sanitize_sql_like as safe

It does not protect against SQL injection.
---
 lib/brakeman/checks/check_sql.rb | 2 +-
 test/tests/github_output.rb      | 2 +-
 test/tests/rails6.rb             | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/brakeman/checks/check_sql.rb b/lib/brakeman/checks/check_sql.rb
index be0bc26b9f..df808657a5 100644
--- a/lib/brakeman/checks/check_sql.rb
+++ b/lib/brakeman/checks/check_sql.rb
@@ -584,7 +584,7 @@ def check_string_arg exp
   end
 
   IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name,
-    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array, :sanitize_sql_like,
+    :quoted_primary_key, :to_i, :to_f, :sanitize_sql, :sanitize_sql_array,
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
diff --git a/test/tests/github_output.rb b/test/tests/github_output.rb
index 056bc86c80..19dcb10cdb 100644
--- a/test/tests/github_output.rb
+++ b/test/tests/github_output.rb
@@ -6,7 +6,7 @@ def setup
   end
 
   def test_report_format
-    assert_equal 40, @@report.lines.count, "Did you add vulnerabilities to the Rails 6 app? Update this test please!"
+    assert_equal 41, @@report.lines.count, "Did you add vulnerabilities to the Rails 6 app? Update this test please!"
     @@report.lines.each do |line|
       assert line.start_with?('::'), 'Every line must start with `::`'
       assert_equal 2, line.scan('::').count, 'Every line must have exactly 2 `::`'
diff --git a/test/tests/rails6.rb b/test/tests/rails6.rb
index 85b8bd8447..9ec5fa2dd3 100644
--- a/test/tests/rails6.rb
+++ b/test/tests/rails6.rb
@@ -13,7 +13,7 @@ def expected
       :controller => 0,
       :model => 0,
       :template => 4,
-      :generic => 34
+      :generic => 35
     }
   end
 
@@ -148,7 +148,7 @@ def test_sql_injection_date_integer_target_false_positive
   end
 
   def test_sql_injection_sanitize_sql_like
-    assert_no_warning :type => :warning,
+    assert_warning :type => :warning,
       :warning_code => 0,
       :fingerprint => "8dde11c95a0f3acb4f982ff6554ac3ba821334ee04aee7f1fb0ea01c8919baad",
       :warning_type => "SQL Injection",