fix(detectors): Fix bug with empty string and keyword in SQL Injection Detector (#93071)

roggenkemper · web-flow · commit 50984dd10002 · 2025-06-09T08:15:40.000-07:00
diff --git a/fixtures/events/performance_problems/sql-injection/sql-injection-event-query.json b/fixtures/events/performance_problems/sql-injection/sql-injection-event-query.json
@@ -20,7 +20,9 @@
     "method": "GET",
     "query_string": [
       ["username", "hello"],
-      ["sort", "username"]
+      ["sort", "username"],
+      ["empty", ""],
+      ["single", "u"]
     ]
   },
   "spans": [
diff --git a/src/sentry/utils/performance_issues/detectors/sql_injection_detector.py b/src/sentry/utils/performance_issues/detectors/sql_injection_detector.py
@@ -83,11 +83,17 @@ def extract_request_data(self, event: dict[str, Any]) -> None:
             query_value = query_pair[1]
             query_key = query_pair[0]
 
-            if not isinstance(query_value, str):
+            # Filters out empty strings or single character strings
+            if (
+                not isinstance(query_value, str)
+                or not isinstance(query_key, str)
+                or not query_value
+                or len(query_value) == 1
+            ):
                 continue
             if query_key == query_value:
                 continue
-            if query_value.upper() in SQL_KEYWORDS:
+            if query_value.upper() in SQL_KEYWORDS or query_key.upper() in SQL_KEYWORDS:
                 continue
             valid_parameters.append(query_pair)
 
