From aa5d019740bb498ae9735d01363cddbd8f8aa040 Mon Sep 17 00:00:00 2001
From: Michael Hohn <hohn@github.com>
Date: Mon, 20 Jul 2020 14:26:44 -0700
Subject: [PATCH] sql injection: try flow configuration (with pathgraph).  Not
 ready

---
 SqlInjection.ql | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/SqlInjection.ql b/SqlInjection.ql
index 5b21bfe..ec52b11 100644
--- a/SqlInjection.ql
+++ b/SqlInjection.ql
@@ -8,6 +8,7 @@
 
 import cpp
 import semmle.code.cpp.dataflow.TaintTracking
+import DataFlow::PathGraph
 
 class SqliFlowConfig extends TaintTracking::Configuration {
     SqliFlowConfig() { this = "SqliFlow" }
@@ -33,13 +34,6 @@ class SqliFlowConfig extends TaintTracking::Configuration {
     }
 }
 
-// from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
-// where conf.hasFlowPath(source, sink)
-// select sink, source, sink, "Possible SQL injection"
-// Sink identification
-// rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
-from FunctionCall exec, DataFlow::Node sink
-where
-    exec.getTarget().getName() = "sqlite3_exec" and
-    exec.getArgument(1) = sink.asExpr()
-select exec, sink
+from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
+where conf.hasFlowPath(source, sink)
+select sink, source, sink, "Possible SQL injection"