flow fixed

trivial.ql

@@ -1,3 +1,12 @@
+/**
+ * @name SQLI Vulnerability
+ * @description Using untrusted strings in a sql query allows sql injection attacks.
+ * @kind path-problem
+ * @id cpp/sqlivulnerable
+ * @problem.severity warning
+ */
+
+
 import cpp
 
 // 1. source: count = read(STDIN_FILENO, buf, BUFSIZE);
@@ -22,7 +31,6 @@ import cpp
 // from VariableAccess buf
 // where findBuf(buf)
 // select buf
-
 class FindBuf extends VariableAccess {
   FindBuf() {
     exists(FunctionCall read |
@@ -34,7 +42,6 @@ class FindBuf extends VariableAccess {
 
 // from FindBuf buf
 // select buf
-
 // 2. sink:  rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
 class FindQuery extends VariableAccess {
   FindQuery() {
@@ -47,24 +54,21 @@ class FindQuery extends VariableAccess {
 
 // from FindQuery fq
 // select fq
-
 // 3. dataflow between them
-
 import semmle.code.cpp.dataflow.new.TaintTracking
 
 module SqliFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { 
-  }
+    exists(FindBuf fb | source.asDefiningArgument()  = fb) }
+
   predicate isSink(DataFlow::Node sink) { 
+    exists(FindQuery fq |sink.asIndirectArgument() = fq) }
 }
 
-}
-
-module MyFlow = TaintTracking::Global<SqliFlowConfig>;
-
 import MyFlow::PathGraph
 
+module MyFlow = TaintTracking::Global<SqliFlowConfig>;
+
 from MyFlow::PathNode source, MyFlow::PathNode sink
 where MyFlow::flowPath(source, sink)
 select sink, source, sink, "Possible SQL injection"
-