JavaScript: Add model of JSON parsers

javascript/ql/test/query-tests/Security/CWE-089/SqlInjection.expected

@@ -1,6 +1,7 @@
 | mongodb.js:18:16:18:20 | query | This query depends on $@. | mongodb.js:13:19:13:26 | req.body | a user-provided value |
 | mongodb.js:39:16:39:20 | query | This query depends on $@. | mongodb.js:34:19:34:33 | req.query.title | a user-provided value |
 | mongoose.js:24:19:24:23 | query | This query depends on $@. | mongoose.js:21:19:21:26 | req.body | a user-provided value |
+| mongooseJsonParse.js:23:19:23:23 | query | This query depends on $@. | mongooseJsonParse.js:20:30:20:43 | req.query.data | a user-provided value |
 | tst2.js:9:27:9:84 | "select ... d + "'" | This query depends on $@. | tst2.js:9:66:9:78 | req.params.id | a user-provided value |
 | tst3.js:10:14:10:19 | query1 | This query depends on $@. | tst3.js:9:16:9:34 | req.params.category | a user-provided value |
 | tst4.js:8:10:8:66 | 'SELECT ... d + '"' | This query depends on $@. | tst4.js:8:46:8:60 | $routeParams.id | a user-provided value |

javascript/ql/test/query-tests/Security/CWE-089/mongooseJsonParse.js

@@ -0,0 +1,25 @@
+'use strict';
+const Express = require('express');
+const BodyParser = require('body-parser');
+const Mongoose = require('mongoose');
+Mongoose.Promise = global.Promise;
+Mongoose.connect('mongodb://localhost/injectable1');
+
+const app = Express();
+
+const Document = Mongoose.model('Document', {
+    title: {
+        type: String,
+        unique: true
+    },
+    type: String
+});
+
+app.get('/documents/find', (req, res) => {
+    const query = {};
+    query.title = JSON.parse(req.query.data).title;
+
+    // NOT OK: query is tainted by user-provided object value
+    Document.find(query);
+});
+