JS: Track deep flow through qs.stringify

javascript/ql/lib/semmle/javascript/frameworks/UriLibraries.qll

@@ -421,3 +421,22 @@ private module ClosureLibraryUri {
     }
   }
 }
+
+private class QueryStringStringification extends DataFlow::SummarizedCallable {
+  QueryStringStringification() { this = "query-string stringification" }
+
+  override DataFlow::InvokeNode getACall() {
+    result =
+      API::moduleImport(["querystring", "query-string", "querystringify", "qs"])
+          .getMember("stringify")
+          .getACall() or
+    result = API::moduleImport("url-parse").getMember("qs").getMember("stringify").getACall() or
+    result = API::moduleImport("parseqs").getMember("encode").getACall()
+  }
+
+  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+    preservesValue = false and
+    input = ["Argument[0]", "Argument[0].AnyMemberDeep"] and
+    output = "ReturnValue"
+  }
+}

javascript/ql/test/query-tests/Security/CWE-200/googlecompiler.js

@@ -34,7 +34,7 @@ function PostCode(codestring) {
       });
   });
 
-  post_req.write(post_data); // $ MISSING: Alert - post the data from file to request body
+  post_req.write(post_data); // $ Alert - post the data from file to request body
   post_req.end();
 
 }
@@ -58,4 +58,4 @@ fs.readFile('LinkedList.js', 'utf-8', function (err, data) {
     console.log("No data to post");
     process.exit(-1);
   }
-});
+});