From 134010ac7e3896cf668cc375342d44bb85f16633 Mon Sep 17 00:00:00 2001
From: dilanbhalla <35575727+dilanbhalla@users.noreply.github.com>
Date: Tue, 27 Feb 2024 13:30:38 -0800
Subject: [PATCH 1/2] Update SQL.qll

---
 .../lib/semmle/javascript/frameworks/SQL.qll  | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll b/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll
index 09b148d6e6a..0a09a7923ca 100644
--- a/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll
@@ -454,3 +454,27 @@ private module SpannerCsv {
     }
   }
 }
+
+/**
+ * Provides classes modeling the `tedious` package.
+ */
+private module Tedious {
+  API::Node tedious() { result = API::moduleImport("tedious")}
+
+  class QueryCall extends DatabaseAccess, API::CallNode {
+      QueryCall(){
+          this = tedious().getMember("Connection").getInstance().getMember("execSql").getACall()
+      }
+      override DataFlow::Node getAQueryArgument(){
+          exists(API::NewNode request | 
+            request = API::moduleImport("tedious").getMember("Request").getAnInstantiation() and
+            this.getParameter(0).asSink() = request.getReturn().getAValueReachableFromSource() and 
+            result = request.getArgument(0)
+          )
+      }
+  }
+
+  class QueryString extends SQL::SqlString { 
+      QueryString() {this = any(QueryCall qc).getAQueryArgument()}
+  }
+}

From 8e05f2a1f0f99d65fba5f8a1b0b7e18d7cfe4abe Mon Sep 17 00:00:00 2001
From: dilanbhalla <35575727+dilanbhalla@users.noreply.github.com>
Date: Tue, 27 Feb 2024 13:38:39 -0800
Subject: [PATCH 2/2] Update SQL.qll

---
 javascript/ql/lib/semmle/javascript/frameworks/SQL.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll b/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll
index 0a09a7923ca..4d178bf3373 100644
--- a/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/SQL.qll
@@ -467,7 +467,7 @@ private module Tedious {
       }
       override DataFlow::Node getAQueryArgument(){
           exists(API::NewNode request | 
-            request = API::moduleImport("tedious").getMember("Request").getAnInstantiation() and
+            request = tedious().getMember("Request").getAnInstantiation() and
             this.getParameter(0).asSink() = request.getReturn().getAValueReachableFromSource() and 
             result = request.getArgument(0)
           )