False negative in SQL injection detection (S608) when selecting multiple columns across multiple lines

[aripollak]

Here's a file that demonstrates the issue when checked with ruff check --select S608 test.py:

user_input = "SELECT * FROM bad_stuff"
bad_detected = f"""
    SELECT *, foo
    FROM ({user_input}) raw
"""

bad_undetected = f"""
    SELECT *,
        foo
    FROM ({user_input}) raw
"""

I'd expect both bad_detected and bad_undetected to be warned about, but this only warns with test.py:2:16: S608 Possible SQL injection vector through string-based query construction.

This used to work correctly in ruff 0.4, but broke at some point between then and ruff 0.9.2.

[InSyncWithFoo]

This regression first appeared in 0.7.0 via #13574. The regex in question was changed from:

(?i)\b(select\s.+\sfrom\s|delete\s+from\s|(insert|replace)\s.+\svalues\s|update\s.+\sset\s)

...to:

(?i)\b(select\s+.*\s+from\s|delete\s+from\s|(insert|replace)\s+.*\s+values\s|update\s+.*\s+set\s)

For comparison, here's the corresponding regex from flake8-bandit (it hasn't changed since then):

SIMPLE_SQL_RE = re.compile(
    r"(select\s.*from\s|"
    r"delete\s+from\s|"
    r"insert\s+into\s.*values\s|"
    r"update\s.*set\s)",
    re.IGNORECASE | re.DOTALL,
)