JS: add query: js/stored-xss

javascript/ql/test/query-tests/Security/CWE-079/StoredXss.expected

@@ -0,0 +1,4 @@
+| xss-through-filenames.js:8:18:8:23 | files1 | Stored cross-site scripting vulnerability due to $@. | xss-through-filenames.js:7:43:7:48 | files1 | stored value |
+| xss-through-filenames.js:26:19:26:24 | files1 | Stored cross-site scripting vulnerability due to $@. | xss-through-filenames.js:25:43:25:48 | files1 | stored value |
+| xss-through-filenames.js:33:19:33:24 | files2 | Stored cross-site scripting vulnerability due to $@. | xss-through-filenames.js:25:43:25:48 | files1 | stored value |
+| xss-through-filenames.js:37:19:37:24 | files3 | Stored cross-site scripting vulnerability due to $@. | xss-through-filenames.js:25:43:25:48 | files1 | stored value |

javascript/ql/test/query-tests/Security/CWE-079/StoredXss.qlref

@@ -0,0 +1 @@
+Security/CWE-079/StoredXss.ql

javascript/ql/test/query-tests/Security/CWE-079/xss-through-filenames.js

@@ -0,0 +1,40 @@
+var http = require('http');
+var fs = require('fs');
+
+var express = require('express');
+
+express().get('/', function(req, res) {
+    fs.readdir("/myDir", function (error, files1) {
+        res.send(files1); // NOT OK
+    });
+});
+
+/**
+ * The essence of a real world vulnerability.
+ */
+http.createServer(function (req, res) {
+
+    function format(files2) {
+        var files3 = [];
+        files2.sort(sort).forEach(function (file) {
+            files3.push('<li>' + file + '</li>');
+        });
+        return files3.join('');
+    }
+
+    fs.readdir("/myDir", function (error, files1) {
+        res.write(files1); // NOT OK
+
+        var dirs = [];
+        var files2 = [];
+        files1.forEach(function (file) {
+            files2.push(file);
+        });
+        res.write(files2); // NOT OK
+
+        var files3 = format(files2);
+
+        res.write(files3);  // NOT OK
+
+    });
+});