Include remote sources and sinks

mbaluda · mbaluda · commit f15fcc7bb532 · 2024-01-30T14:31:20.000+01:00
diff --git a/javascript/frameworks/cap/src/sqlinjection/SqlInjection.ql b/javascript/frameworks/cap/src/sqlinjection/SqlInjection.ql
@@ -19,9 +19,13 @@ import advanced_security.javascript.frameworks.cap.CQL
 class Configuration extends TaintTracking::Configuration {
   Configuration() { this = "CapSqlInjection" }
 
-  override predicate isSource(DataFlow::Node source) { source instanceof CDS::RequestSource }
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof Source or source instanceof CDS::RequestSource
+  }
 
-  override predicate isSink(DataFlow::Node sink) { sink instanceof CQL::CQLSink }
+  override predicate isSink(DataFlow::Node sink) {
+    sink instanceof Sink or sink instanceof CQL::CQLSink
+  }
 
   override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
     //string concatenation in a clause arg taints the clause
