Add coverage for express

javascript/ql/lib/semmle/javascript/frameworks/Cors.qll

@@ -0,0 +1,24 @@
+/**
+ * Provides classes for working with Cors connectors.
+ */
+
+import javascript
+
+/** Provides classes modeling [cors package](https://npmjs.com/package/cors) */
+module Cors {
+  class Cors extends DataFlow::CallNode {
+    /** Get an instanceof of `cors` */
+    Cors() { this = DataFlow::moduleImport("cors").getAnInvocation() }
+
+    /** Get Cors configuration */
+    DataFlow::Node getCorsArgument() { result = this.getArgument(0) }
+
+    /** Holds if cors is using default configuration */
+    predicate isDefault() { this.getNumArgument() = 0 }
+
+    /** The value of origin */
+    DataFlow::Node getOrigin() {
+      result = this.getCorsArgument().getALocalSource().getAPropertyWrite("origin").getRhs()
+    }
+  }
+}

javascript/ql/lib/semmle/javascript/frameworks/Express.qll

@@ -5,6 +5,7 @@
 import javascript
 import semmle.javascript.frameworks.HTTP
 import semmle.javascript.frameworks.ExpressModules
+import semmle.javascript.frameworks.Cors
 private import semmle.javascript.dataflow.InferredTypes
 private import semmle.javascript.frameworks.ConnectExpressShared::ConnectExpressShared
 
@@ -1071,4 +1072,23 @@ module Express {
 
     override predicate definitelyResumesDispatch() { none() }
   }
+
+  class CorsConfiguration extends DataFlow::MethodCallNode {
+    /** Get an `app.use` with a cors object as argument */
+    CorsConfiguration() {
+      this = appCreation().getAMethodCall("use") and this.getArgument(0) instanceof Cors::Cors
+    }
+
+    /** Get Cors */
+    private Cors::Cors cors() { result = this.getArgument(0).(Cors::Cors) }
+
+    /** Get Cors configuration */
+    DataFlow::Node getCorsArgument() { result = cors().getCorsArgument() }
+
+    /** Holds if cors is using default configuration */
+    predicate isDefault() { cors().isDefault() }
+
+    /** Get Cors origin value */
+    DataFlow::Node getOrigin() { result = cors().getOrigin() }
+  }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/CorsPermissiveConfigurationCustomizations.qll

@@ -44,4 +44,11 @@ module CorsPermissiveConfiguration {
       )
     }
   }
+
+  /**
+   * The value of cors origin when initializing the application.
+   */
+  class ExpressCors extends Sink, DataFlow::ValueNode {
+    ExpressCors() { exists(Express::CorsConfiguration config | this = config.getOrigin()) }
+  }
 }