From 16bdbbb20266151890bc841fed4526d8d701f419 Mon Sep 17 00:00:00 2001
From: Michael Hohn <hohn@github.com>
Date: Wed, 21 May 2025 11:45:52 -0700
Subject: [PATCH] flow template

---
 trivial.ql | 35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/trivial.ql b/trivial.ql
index ffbd9b2..83c8f3b 100644
--- a/trivial.ql
+++ b/trivial.ql
@@ -32,8 +32,39 @@ class FindBuf extends VariableAccess {
   }
 }
 
-from FindBuf buf
-select buf
+// from FindBuf buf
+// select buf
 
 // 2. sink:  rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
+class FindQuery extends VariableAccess {
+  FindQuery() {
+    exists(FunctionCall read |
+      read.getArgument(1) = this and
+      read.getTarget().getName() = "sqlite3_exec"
+    )
+  }
+}
+
+// from FindQuery fq
+// select fq
+
 // 3. dataflow between them
+
+import semmle.code.cpp.dataflow.new.TaintTracking
+
+module SqliFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+  }
+   predicate isSink(DataFlow::Node sink) {
+   }
+
+}
+
+module MyFlow = TaintTracking::Global<SqliFlowConfig>;
+
+import MyFlow::PathGraph
+
+from MyFlow::PathNode source, MyFlow::PathNode sink
+where MyFlow::flowPath(source, sink)
+select sink, source, sink, "Possible SQL injection"
+