Add dual/restricted-flow-configuration sql injection taint tracking query

session/session.ql

@@ -32,10 +32,6 @@ class FlowSinkOrigin extends DataFlow::FlowLabel {
   FlowSinkOrigin() { this = "FlowSinkOrigin" }
 }
 
-class UltimateFlow extends DataFlow::FlowLabel {
-  UltimateFlow() { this = "UltimateFlow" }
-}
-
 class IdentifyFlowSink extends TaintTracking::Configuration {
   IdentifyFlowSink() { this = "IdentifyFlowSink" }
 
@@ -46,9 +42,6 @@ class IdentifyFlowSink extends TaintTracking::Configuration {
       nd.asExpr() = newdb and
       lbl instanceof FlowSinkOrigin
     )
-    or
-    nd.asExpr() = uSource(_) and
-    lbl instanceof UltimateFlow
   }
 
   override predicate isSink(DataFlow::Node nd, DataFlow::FlowLabel lbl) {
@@ -59,9 +52,6 @@ class IdentifyFlowSink extends TaintTracking::Configuration {
       nd.asExpr() = db and
       lbl instanceof FlowSinkOrigin
     )
-    or
-    nd.asExpr() = uSink(_) and
-    lbl instanceof UltimateFlow
   }
 }
 
@@ -73,9 +63,14 @@ class UltimateFlowCfg extends TaintTracking::Configuration {
   override predicate isSink(DataFlow::Node nd) { nd.asExpr() = uSink(_) }
 }
 
-// from IdentifyFlowSink cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-// where cfg.hasFlowPath(source, sink)
-// select sink, source, sink, "Database originating $@", source, "here"
-from UltimateFlowCfg cfg, DataFlow::PathNode source, DataFlow::PathNode sink
-where cfg.hasFlowPath(source, sink)
-select sink, source, sink, "Sql injected from $@", source, "here"
+from
+  UltimateFlowCfg ucfg, DataFlow::PathNode usource, DataFlow::PathNode usink, IdentifyFlowSink cfg,
+  DataFlow::Node source, DataFlow::Node sink
+where
+  cfg.hasFlow(source, sink) and
+  ucfg.hasFlowPath(usource, usink) and
+  exists(MethodCallExpr exec |
+    sink.asExpr() = exec.getReceiver() and
+    usink.getNode().asExpr() = exec.getAnArgument()
+  )
+select usink, usource, usink, "Sql injected from $@", usource, "here"