Python: use SqlConstruction in SqlAlchemy and

`SqlInjection`

python/ql/lib/semmle/python/frameworks/SqlAlchemy.qll

@@ -313,9 +313,11 @@ module SqlAlchemy {
      * A construction of a `sqlalchemy.sql.expression.TextClause`, which represents a
      * textual SQL string directly.
      */
-    abstract class TextClauseConstruction extends DataFlow::CallCfgNode {
+    abstract class TextClauseConstruction extends SqlConstruction::Range, DataFlow::CallCfgNode {
       /** Gets the argument that specifies the SQL text. */
-      DataFlow::Node getTextArg() { result in [this.getArg(0), this.getArgByName("text")] }
+      final override DataFlow::Node getSql() {
+        result in [this.getArg(0), this.getArgByName("text")]
+      }
     }
 
     /** `TextClause` constructions from the `sqlalchemy` package. */

python/ql/lib/semmle/python/security/dataflow/SqlInjectionCustomizations.qll

@@ -42,6 +42,13 @@ module SqlInjection {
    */
   class RemoteFlowSourceAsSource extends Source, RemoteFlowSource { }
 
+  /**
+   * A SQL statement of a SQL construction, considered as a flow sink.
+   */
+  class SqlConstructionAsSink extends Sink {
+    SqlConstructionAsSink() { this = any(SqlConstruction c).getSql() }
+  }
+
   /**
    * A SQL statement of a SQL execution, considered as a flow sink.
    */
@@ -49,13 +56,6 @@ module SqlInjection {
     SqlExecutionAsSink() { this = any(SqlExecution e).getSql() }
   }
 
-  /**
-   * The text argument of a SQLAlchemy TextClause construction, considered as a flow sink.
-   */
-  class TextArgAsSink extends Sink {
-    TextArgAsSink() { this = any(SqlAlchemy::TextClause::TextClauseConstruction tcc).getTextArg() }
-  }
-
   /**
    * A comparison with a constant string, considered as a sanitizer-guard.
    */