TL;DR: Pick a sink (eval, exec, query), trace inputs backwards to user-reachable sources. CodeQL / Semgrep / Joern as accelerators.
Stub — to be filled in.
What it is
TODO
Preconditions / where it applies
TODO
Technique
TODO
Detection and defence
TODO
References