update from pre/postUpdate node to new forms

SqlInjection.ql

@@ -1,10 +1,10 @@
 /**
- * @name SQLI Vulnerability
+* @name SQLI Vulnerability
- * @description Using untrusted strings in a sql query allows sql injection attacks.
+* @description Using untrusted strings in a sql query allows sql injection attacks.
- * @kind path-problem
+* @kind path-problem
- * @id cpp/sqlivulnerable
+* @id cpp/sqlivulnerable
- * @problem.severity warning
+* @problem.severity warning
- */
+*/
 
 import cpp
 import semmle.code.cpp.dataflow.new.TaintTracking
@@ -15,33 +15,17 @@ module SqliFlowConfig implements DataFlow::ConfigSig {
         // count = read(STDIN_FILENO, buf, BUFSIZE);
         exists(FunctionCall read |
             read.getTarget().getName() = "read" and
-            read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()
+            read.getArgument(1) = source.asDefiningArgument()
         )
     }
 
     predicate isBarrier(DataFlow::Node sanitizer) { none() }
 
-    predicate isAdditionalFlowStep(DataFlow::Node into, DataFlow::Node out) {
-        // Extra taint step
-        //     snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
-        // But snprintf is a macro on mac os.  The actual function's name is
-        //     #undef snprintf
-        //     #define snprintf(str, len, ...) \
-        //       __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__)
-        //     #endif
-        exists(FunctionCall printf |
-            printf.getTarget().getName().matches("%snprintf%") and
-            printf.getArgument(0) = out.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr() and
-            // very specific: shifted index for macro.
-            printf.getArgument(6) = into.asExpr()
-        )
-    }
-
     predicate isSink(DataFlow::Node sink) {
         // rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
         exists(FunctionCall exec |
             exec.getTarget().getName() = "sqlite3_exec" and
-            exec.getArgument(1) = sink.asExpr()
+            exec.getArgument(1) = sink.asIndirectArgument()
         )
     }
 }
@@ -52,3 +36,4 @@ import MyFlow::PathGraph
 from  MyFlow::PathNode source, MyFlow::PathNode sink
 where MyFlow::flowPath(source, sink)
 select sink, source, sink, "Possible SQL injection"
+

cpp-sqli-c1b3c8d/baseline-info.json

@@ -1 +0,0 @@
-{"languages":{"cpp":{"displayName":"C/C++","files":["add-user.c"],"linesOfCode":78,"name":"cpp"}}}

cpp-sqli-c1b3c8d/codeql-database.yml

@@ -1,11 +0,0 @@
----
-sourceLocationPrefix: /Users/hohn/local/codeql-dataflow-sql-injection
-baselineLinesOfCode: 78
-unicodeNewlines: false
-columnKind: utf8
-primaryLanguage: cpp
-creationMetadata:
-  sha: c1b3c8d901eacddbb7949a8ca3b8acc11ffbda86
-  cliVersion: 2.20.0
-  creationTime: 2025-02-18T01:07:10.558137Z
-finalised: true

cpp-sqli-c1b3c8d/db-cpp/default/cache/version

@@ -1 +0,0 @@
-20190805:20220702:20240828:20241116