Ignore quoted_table_name in SQL

lib/brakeman/checks/check_sql.rb

@@ -547,7 +547,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     string_building? exp.first_arg
   end
 
-  IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :to_i, :to_f,
+  IGNORE_METHODS_IN_SQL = Set[:id, :merge_conditions, :table_name, :quoted_table_name, :to_i, :to_f,
     :sanitize_sql, :sanitize_sql_array, :sanitize_sql_for_assignment,
     :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,

test/apps/rails3.1/app/models/user.rb

@@ -43,6 +43,10 @@ class User < ActiveRecord::Base
                  stuff, stuff, user.id, user.id)
   end
 
+  def self.safe_sql_using_quoted_table_name
+    where("#{User.quoted_table_name}.id = ?", 1)
+  end
+
   def self.more_safe_stuff
     where("#{User.primary_key} = #{table_name_prefix}a.thing")
   end

test/tests/rails31.rb

@@ -1018,6 +1018,18 @@ class Rails31Tests < Test::Unit::TestCase
       :user_input => s(:call, s(:const, :User), :primary_key)
   end
 
+  def test_sql_injection_quoted_table_name
+    assert_no_warning :type => :warning,
+      :warning_code => 0,
+      :fingerprint => "d62a8796ff7e8f7547cea5352112294354b0400b01ab55388fa802a655751ed3",
+      :warning_type => "SQL Injection",
+      :line => 47,
+      :message => /^Possible\ SQL\ injection/,
+      :confidence => 0,
+      :relative_path => "app/models/user.rb",
+      :user_input => s(:call, s(:const, :User), :quoted_table_name)
+  end
+
   def test_sql_injection_table_name_prefix
     assert_no_warning :type => :warning,
       :warning_code => 0,