updates for module system; include a db

Author: hohn

README.org

@@ -2,28 +2,26 @@
  * @name SQLI Vulnerability
  * @description Using untrusted strings in a sql query allows sql injection attacks.
  * @kind path-problem
- * @id cpp/SQLIVulnerable
+ * @id cpp/sqlivulnerable
  * @problem.severity warning
  */
 
 import cpp
-import semmle.code.cpp.dataflow.TaintTracking
-import DataFlow::PathGraph
+import semmle.code.cpp.dataflow.new.TaintTracking
 
-class SqliFlowConfig extends TaintTracking::Configuration {
-    SqliFlowConfig() { this = "SqliFlow" }
+module SqliFlowConfig implements DataFlow::ConfigSig {
 
-    override predicate isSource(DataFlow::Node source) {
+    predicate isSource(DataFlow::Node source) {
         // count = read(STDIN_FILENO, buf, BUFSIZE);
         exists(FunctionCall read |
             read.getTarget().getName() = "read" and
             read.getArgument(1) = source.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr()
         )
     }
 
-    override predicate isSanitizer(DataFlow::Node sanitizer) { none() }
+    predicate isBarrier(DataFlow::Node sanitizer) { none() }
 
-    override predicate isAdditionalTaintStep(DataFlow::Node into, DataFlow::Node out) {
+    predicate isAdditionalFlowStep(DataFlow::Node into, DataFlow::Node out) {
         // Extra taint step
         //     snprintf(query, bufsize, "INSERT INTO users VALUES (%d, '%s')", id, info);
         // But snprintf is a macro on mac os.  The actual function's name is
@@ -39,7 +37,7 @@ class SqliFlowConfig extends TaintTracking::Configuration {
         )
     }
 
-    override predicate isSink(DataFlow::Node sink) {
+    predicate isSink(DataFlow::Node sink) {
         // rc = sqlite3_exec(db, query, NULL, 0, &zErrMsg);
         exists(FunctionCall exec |
             exec.getTarget().getName() = "sqlite3_exec" and
@@ -48,6 +46,9 @@ class SqliFlowConfig extends TaintTracking::Configuration {
     }
 }
 
-from SqliFlowConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
-where conf.hasFlowPath(source, sink)
+module MyFlow = TaintTracking::Global<SqliFlowConfig>;
+import MyFlow::PathGraph
+
+from  MyFlow::PathNode source, MyFlow::PathNode sink
+where MyFlow::flowPath(source, sink)
 select sink, source, sink, "Possible SQL injection"

SqlInjection.ql

@@ -12,6 +12,7 @@
 		}
 	],
 	"settings": {
-		"codeQL.runningQueries.autoSave": true
+		"codeQL.runningQueries.autoSave": true,
+		"sarif-viewer.connectToGithubCodeScanning": "off"
 	}
 }

codeql-dataflow-sql-injection.code-workspace

@@ -0,0 +1 @@
+{"languages":{"cpp":{"displayName":"C/C++","files":["add-user.c"],"linesOfCode":78,"name":"cpp"}}}

cpp-sqli-c1b3c8d/baseline-info.json

@@ -0,0 +1,11 @@
+---
+sourceLocationPrefix: /Users/hohn/local/codeql-dataflow-sql-injection
+baselineLinesOfCode: 78
+unicodeNewlines: false
+columnKind: utf8
+primaryLanguage: cpp
+creationMetadata:
+  sha: c1b3c8d901eacddbb7949a8ca3b8acc11ffbda86
+  cliVersion: 2.20.0
+  creationTime: 2025-02-18T01:07:10.558137Z
+finalised: true