Use asIndirecArgument

SqlInjection.ql

@@ -15,7 +15,7 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
         // count = read(STDIN_FILENO, buf, BUFSIZE);
         exists(FunctionCall read |
             read.getTarget().getName() = "read" and
-            read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()
+            read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument()
         )
     }
 
@@ -31,7 +31,7 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
         //     #endif
         exists(FunctionCall printf |
             printf.getTarget().getName().matches("%snprintf%") and
-            printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() and
+            printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument() and
             // very specific: shifted index for macro.
             printf.getArgument(6) = into.asExpr()
         )

session.ql

@@ -1,3 +1,11 @@
+/**
+ * @name SQLI Vulnerability
+ * @description Using untrusted strings in a sql query allows sql injection attacks.
+ * @kind path-problem
+ * @id cpp/sqlivulnerable
+ * @problem.severity warning
+ */
+
 import cpp
 
 // 1. invalid input -- source
@@ -59,9 +67,16 @@ import semmle.code.cpp.dataflow.new.TaintTracking
 
 module SqliFlowConfig implements DataFlow::ConfigSig {
     predicate isSource(DataFlow::Node source) {
+        exists(DataSource ds |
+            source.asExpr() = ds
+            )
     }
 
     predicate isSink(DataFlow::Node sink) {
+        exists(DataSink ds |
+            sink.asExpr() = ds
+            )
+
     }
   
 }