PS: Remove environment variables as flow sources from 'powershell/microsoft/public/sql-injection'.

MathiasVP · MathiasVP · commit 95926cbc7097 · 2025-07-24T00:11:31.000+01:00
diff --git a/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll b/powershell/ql/lib/semmle/code/powershell/security/SqlInjectionCustomizations.qll
@@ -38,8 +38,13 @@ module SqlInjection {
   abstract class Sanitizer extends DataFlow::Node { }
 
   /** A source of user input, considered as a flow source for command injection. */
-  class FlowSourceAsSource extends Source instanceof SourceNode {
-    override string getSourceType() { result = SourceNode.super.getSourceType() }
+  class FlowSourceAsSource extends Source {
+    FlowSourceAsSource() {
+      this instanceof SourceNode and
+      not this instanceof EnvironmentVariableSource
+    }
+
+    override string getSourceType() { result = this.(SourceNode).getSourceType() }
   }
 
   class InvokeSqlCmdSink extends Sink {
