Python: Add query to handle SQLAlchemy TextClause Injection

instead of doing this via taint-steps. See description in code/tests.

python/ql/test/query-tests/Security/CWE-089-SQLAlchemyTextClauseInjection/test.py

@@ -0,0 +1,43 @@
+from flask import Flask, request
+import sqlalchemy
+import sqlalchemy.orm
+
+app = Flask(__name__)
+engine = sqlalchemy.create_engine(...)
+Base = sqlalchemy.orm.declarative_base()
+
+
+class User(Base):
+    __tablename__ = "users"
+
+    id = sqlalchemy.Column(sqlalchemy.Integer, primary_key=True)
+    username = sqlalchemy.Column(sqlalchemy.String)
+
+
+@app.route("/users/<username>")
+def show_user(username):
+    session = sqlalchemy.orm.Session(engine)
+
+    # BAD, normal SQL injection
+    stmt = sqlalchemy.text("SELECT * FROM users WHERE username = '{}'".format(username))
+    results = session.execute(stmt).fetchall()
+
+    # BAD, allows SQL injection
+    username_formatted_for_sql = sqlalchemy.text("'{}'".format(username))
+    stmt = sqlalchemy.select(User).where(User.username == username_formatted_for_sql)
+    results = session.execute(stmt).scalars().all()
+
+    # GOOD, does not allow for SQL injection
+    stmt = sqlalchemy.select(User).where(User.username == username)
+    results = session.execute(stmt).scalars().all()
+
+
+    # All of these should be flagged by query
+    t1 = sqlalchemy.text(username)
+    t2 = sqlalchemy.text(text=username)
+    t3 = sqlalchemy.sql.text(username)
+    t4 = sqlalchemy.sql.text(text=username)
+    t5 = sqlalchemy.sql.expression.text(username)
+    t6 = sqlalchemy.sql.expression.text(text=username)
+    t7 = sqlalchemy.sql.expression.TextClause(username)
+    t8 = sqlalchemy.sql.expression.TextClause(text=username)