JS: add js/conditional-bypass example as a test case

javascript/ql/test/query-tests/Security/CWE-807/ConditionalBypass.expected

@@ -1,4 +1,14 @@
 nodes
+| example_bypass.js:6:9:6:19 | req.cookies |
+| example_bypass.js:6:9:6:19 | req.cookies |
+| example_bypass.js:6:9:6:34 | req.coo ... nUserId |
+| example_bypass.js:6:9:6:34 | req.coo ... nUserId |
+| example_bypass.js:6:40:6:56 | req.params.userId |
+| example_bypass.js:6:40:6:56 | req.params.userId |
+| example_bypass.js:6:40:6:56 | req.params.userId |
+| example_bypass.js:17:46:17:62 | req.params.userId |
+| example_bypass.js:17:46:17:62 | req.params.userId |
+| example_bypass.js:17:46:17:62 | req.params.userId |
 | tst.js:9:8:9:26 | req.params.shutDown |
 | tst.js:9:8:9:26 | req.params.shutDown |
 | tst.js:9:8:9:26 | req.params.shutDown |
@@ -60,6 +70,12 @@ nodes
 | tst.js:113:13:113:32 | req.query.vulnerable |
 | tst.js:113:13:113:32 | req.query.vulnerable |
 edges
+| example_bypass.js:6:9:6:19 | req.cookies | example_bypass.js:6:9:6:34 | req.coo ... nUserId |
+| example_bypass.js:6:9:6:19 | req.cookies | example_bypass.js:6:9:6:34 | req.coo ... nUserId |
+| example_bypass.js:6:9:6:19 | req.cookies | example_bypass.js:6:9:6:34 | req.coo ... nUserId |
+| example_bypass.js:6:9:6:19 | req.cookies | example_bypass.js:6:9:6:34 | req.coo ... nUserId |
+| example_bypass.js:6:40:6:56 | req.params.userId | example_bypass.js:6:40:6:56 | req.params.userId |
+| example_bypass.js:17:46:17:62 | req.params.userId | example_bypass.js:17:46:17:62 | req.params.userId |
 | tst.js:9:8:9:26 | req.params.shutDown | tst.js:9:8:9:26 | req.params.shutDown |
 | tst.js:13:9:13:19 | req.cookies | tst.js:13:9:13:30 | req.coo ... inThing |
 | tst.js:13:9:13:19 | req.cookies | tst.js:13:9:13:30 | req.coo ... inThing |

javascript/ql/test/query-tests/Security/CWE-807/DifferentKindsComparisonBypass.expected

@@ -1,3 +1,4 @@
+| example_bypass.js:6:9:6:56 | req.coo ... .userId | This comparison of $@ and $@ is a potential security risk since it is controlled by the user. | example_bypass.js:6:9:6:19 | req.cookies | req.cookies | example_bypass.js:6:40:6:56 | req.params.userId | req.params.userId |
 | tst-different-kinds-comparison-bypass.js:7:5:7:42 | req.que ... .userId | This comparison of $@ and $@ is a potential security risk since it is controlled by the user. | tst-different-kinds-comparison-bypass.js:7:5:7:20 | req.query.userId | req.query.userId | tst-different-kinds-comparison-bypass.js:7:25:7:35 | req.cookies | req.cookies |
 | tst-different-kinds-comparison-bypass.js:11:5:11:23 | req.url == req.body | This comparison of $@ and $@ is a potential security risk since it is controlled by the user. | tst-different-kinds-comparison-bypass.js:11:5:11:11 | req.url | req.url | tst-different-kinds-comparison-bypass.js:11:16:11:23 | req.body | req.body |
 | tst-different-kinds-comparison-bypass.js:16:9:16:14 | a == b | This comparison of $@ and $@ is a potential security risk since it is controlled by the user. | tst-different-kinds-comparison-bypass.js:13:11:13:26 | req.query.userId | req.query.userId | tst-different-kinds-comparison-bypass.js:13:29:13:39 | req.cookies | req.cookies |

javascript/ql/test/query-tests/Security/CWE-807/example_bypass.js

@@ -0,0 +1,24 @@
+var express = require('express');
+var app = express();
+// ...
+app.get('/full-profile/:userId', function(req, res) {
+
+    if (req.cookies.loggedInUserId !== req.params.userId) { // NOT OK
+        // BAD: login decision made based on user controlled data
+        requireLogin();
+    } else {
+        // ... show private information
+    }
+
+});
+
+app.get('/full-profile/:userId', function(req, res) {
+
+    if (req.signedCookies.loggedInUserId !== req.params.userId) { // OK
+        // GOOD: login decision made based on server controlled data
+        requireLogin();
+    } else {
+        // ... show private information
+    }
+
+});