Python taint-tracking: Fix up SQL injection query.

python/ql/src/Security/CWE-089/SqlInjection.ql

@@ -26,12 +26,26 @@ class SQLInjectionConfiguration extends TaintTracking::Configuration {
 
     SQLInjectionConfiguration() { this = "SQL injection configuration" }
 
-    override predicate isSource(TaintTracking::Source source) { source instanceof HttpRequestTaintSource }
+    override predicate isSource(TaintTracking::Source source) {
+        source instanceof HttpRequestTaintSource
+    }
 
     override predicate isSink(TaintTracking::Sink sink) { sink instanceof SqlInjectionSink }
 
 }
 
+/* Additional configuration to support tracking of DB objects. Connections, cursors, etc. */
+class DbConfiguration extends TaintTracking::Configuration {
+
+    DbConfiguration() { this = "DB configuration" }
+
+    override predicate isSource(TaintTracking::Source source) {
+        source instanceof DjangoModelObjects or
+        source instanceof DbConnectionSource
+    }
+
+}
+
 from SQLInjectionConfiguration config, TaintedPathSource src, TaintedPathSink sink
 where config.hasFlowPath(src, sink)
 select sink.getSink(), src, sink, "This SQL query depends on $@.", src.getSource(), "a user-provided value"