Get the query depending on the type of sink

Author: jeongsoolee09

javascript/frameworks/cap/src/cqlinjection/CqlInjection.ql

@@ -14,8 +14,26 @@ import javascript
 import DataFlow::PathGraph
 import advanced_security.javascript.frameworks.cap.CAPCqlInjectionQuery
 
+DataFlow::Node getQueryOfSink(DataFlow::Node sink) {
+  exists(CqlRunMethodCall cqlRunMethodCall |
+    sink = cqlRunMethodCall.(CqlRunMethodCall).getAQueryParameter() and
+    result = sink
+  )
+  or
+  exists(CqlShortcutMethodCallWithStringConcat shortcutCall |
+    sink = shortcutCall.(CqlQueryRunnerCall).getAQueryParameter() and
+    result = shortcutCall
+  )
+  or
+  exists(AwaitExpr await, CqlClauseWithStringConcatParameter cqlClauseWithStringConcat |
+    sink = await.flow() and
+    await.getOperand() = cqlClauseWithStringConcat.(CqlClause).asExpr() and
+    result = cqlClauseWithStringConcat.(CqlClause).flow()
+  )
+}
+
 from CqlInjectionConfiguration sql, DataFlow::PathNode source, DataFlow::PathNode sink
 where sql.hasFlowPath(source, sink)
 /* TODO: Print different message if sink is `CqlShortcutMethodCallWithStringConcat` */
-select sink.getNode(), source, sink, "This CQL query depends on a $@.", source.getNode(),
-  "user-provided value"
+select getQueryOfSink(sink.getNode()), source, sink, "This CQL query depends on a $@.",
+  source.getNode(), "user-provided value"