Merge pull request #7029 from erik-krogh/cwe384

JS: add js/session-fixation query

javascript/ql/test/query-tests/Security/CWE-384/SessionFixation.expected

@@ -0,0 +1,2 @@
+| tst.js:9:1:14:2 | app.get ... n');\\n}) | Route handler does not invalidate session following login |
+| tst.js:27:1:29:2 | app.get ... n');\\n}) | Route handler does not invalidate session following login |

javascript/ql/test/query-tests/Security/CWE-384/SessionFixation.qlref

@@ -0,0 +1 @@
+Security/CWE-384/SessionFixation.ql

javascript/ql/test/query-tests/Security/CWE-384/tst.js

@@ -0,0 +1,40 @@
+const express = require('express');
+const session = require('express-session');
+const passport = require('passport');
+const app = express();
+app.use(session({
+    secret: 'keyboard cat'
+}));
+// handle login
+app.get('/login', function (req, res) { // NOT OK - no regenerate
+    req.session.user = {
+        userId: something
+    };
+    res.send('logged in');
+});
+
+// with regenerate
+app.get('/login2', function (req, res) { // OK
+    req.session.regenerate(function (err) {
+        req.session.user = {
+            userId: something
+        };
+        res.send('logged in');
+    });
+});
+
+// using passport
+app.get('/passport', passport.authenticate('local'), function (req, res) { // NOT OK - no regenerate
+    res.send('logged in');
+});
+
+// with regenerate, still using passport
+app.get('/passport2', passport.authenticate('local'), function (req, res) { // OK
+    var passport = req._passport.instance;
+    req.session.regenerate(function(err, done, user) {
+        req.session[passport._key] = {};
+        req._passport.instance = passport;
+        req._passport.session = req.session[passport._key];
+        res.send('logged in');
+    });
+});