Predicate tainted
A tainted expression is either directly user input, or is computed from user input in a way that users can probably control the exact output of the computation.
This doesn’t include data flow through global variables. If you need that you must call taintedIncludingGlobalVars.
Import path
import semmle.code.cpp.security.TaintTrackingImpl