Use asIndirecArgument

SqlInjection.ql

@@ -15,17 +15,33 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
         // count = read(STDIN_FILENO, buf, BUFSIZE);
         exists(FunctionCall read |
             read.getTarget().getName() = "read" and
-            read.getArgument(1) = source.asDefiningArgument()
+            read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument()
         )
     }
 
     predicate isBarrier(DataFlow::Node sanitizer) { none() }
 
+    predicate isAdditionalFlowStep(DataFlow::Node into, DataFlow::Node out) {
+        // Extra taint step
+        //     snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
+        // But snprintf is a macro on mac os.  The actual function's name is
+        //     #undef snprintf
+        //     #define snprintf(str, len, ...) \
+        //       __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__)
+        //     #endif
+        exists(FunctionCall printf |
+            printf.getTarget().getName().matches("%snprintf%") and
+            printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asIndirectArgument() and
+            // very specific: shifted index for macro.
+            printf.getArgument(6) = into.asExpr()
+        )
+    }
+
     predicate isSink(DataFlow::Node sink) {
         // rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
         exists(FunctionCall exec |
             exec.getTarget().getName() = "sqlite3_exec" and
-            exec.getArgument(1) = sink.asIndirectArgument()
+            exec.getArgument(1) = sink.asExpr()
         )
     }
 }
@@ -36,4 +52,3 @@ import MyFlow::PathGraph
 from  MyFlow::PathNode source, MyFlow::PathNode sink
 where MyFlow::flowPath(source, sink)
 select sink, source, sink, "Possible SQL injection"
-

session.ql

@@ -1,18 +1,17 @@
+/**
+ * @name SQLI Vulnerability
+ * @description Using untrusted strings in a sql query allows sql injection attacks.
+ * @kind path-problem
+ * @id cpp/sqlivulnerable
+ * @problem.severity warning
+ */
+
 import cpp
 
 // 1. invalid input -- source
 //    count = read(STDIN_FILENO, buf, BUFSIZE - 1);
 //
-// 2. gets to a sql statement -- flow
+
-//    flow config
-//
-// 3. drops table -- sink
-//    rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
-// All predicates and classes are using one of:
-// AST Abstract syntax tree
-// CFG Control flow graph
-// DFG Data flow graph
-// Type hierarchy
 class DataSource extends VariableAccess {
     DataSource() {
       exists(FunctionCall read |
@@ -22,8 +21,70 @@ class DataSource extends VariableAccess {
     }
   }
 
-from FunctionCall read, VariableAccess buf
+// from DataSource buf
-where
+// select buf
-  read.getTarget().getName() = "read" and
+  
-  read.getArgument(1) = buf
+// 2. gets to a sql statement -- flow
-select buf
+//    flow config
+//
+// 3. drops table -- sink
+//    rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
+
+
+class DataSink extends Expr {
+    DataSink() {
+      exists(FunctionCall read |
+       read.getTarget().getName() = "sqlite3_exec" and
+       read.getArgument(1) = this
+      )
+    }
+  }
+
+// from DataSource ds
+// select ds
+
+
+// from FunctionCall exec, Expr query 
+// where exec.getTarget().getName() = "sqlite3_exec" and
+// exec.getArgument(1) = query
+// select query
+// from StmtParent st
+// where not (st instanceof VariableAccess)
+// select st
+
+
+
+// All predicates and classes are using one of:
+// AST Abstract syntax tree
+// CFG Control flow graph
+// DFG Data flow graph
+// Type hierarchy
+//
+
+
+import semmle.code.cpp.dataflow.new.TaintTracking
+
+
+module SqliFlowConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node source) {
+        exists(DataSource ds |
+            source.asExpr() = ds
+            )
+    }
+
+    predicate isSink(DataFlow::Node sink) {
+        exists(DataSink ds |
+            sink.asExpr() = ds
+            )
+
+    }
+  
+}
+
+
+module MyFlow = TaintTracking::Global<SqliFlowConfig>;
+import MyFlow::PathGraph
+
+from  MyFlow::PathNode source, MyFlow::PathNode sink
+where MyFlow::flowPath(source, sink)
+select sink, source, sink, "Possible SQL injection"