From e31039dd6487be205fcdec511aa85407d026c1e8 Mon Sep 17 00:00:00 2001
From: Michael Hohn <hohn@github.com>
Date: Mon, 20 Jul 2020 13:53:10 -0700
Subject: [PATCH] sql injection: Flow configuration template

---
 SqlInjection.ql | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 SqlInjection.ql

diff --git a/SqlInjection.ql b/SqlInjection.ql
new file mode 100644
index 0000000..ad90230
--- /dev/null
+++ b/SqlInjection.ql
@@ -0,0 +1,26 @@
+/**
+ * @name SQLI Vulnerability
+ * @description Using untrusted strings in a sql query allows sql injection attacks.
+ * @kind path-problem
+ * @id cpp/SQLIVulnerable
+ * @problem.severity warning
+ */
+
+import cpp
+import semmle.code.cpp.dataflow.TaintTracking
+
+class SqliFlowConfig extends TaintTracking::Configuration {
+    SqliFlowConfig() { this = "SqliFlow" }
+
+    override predicate isSource(DataFlow::Node source) { any() }
+
+    override predicate isSanitizer(DataFlow::Node sanitizer) { none() }
+
+    override predicate isAdditionalTaintStep(DataFlow::Node n1, DataFlow::Node n2) { none() }
+
+    override predicate isSink(DataFlow::Node sink) { any() }
+}
+
+from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
+where conf.hasFlowPath(source, sink)
+select sink, source, sink, "Possible SQL injection"