JS: Generalize handling of route handler wrapper functions

javascript/ql/test/query-tests/Security/CWE-770/MissingRateLimiting.expected

@@ -7,3 +7,6 @@
 | tst.js:37:20:37:36 | expensiveHandler3 | This route handler performs $@, but is not rate-limited. | tst.js:16:40:16:70 | child_p ... /true") | a system command |
 | tst.js:38:20:38:36 | expensiveHandler4 | This route handler performs $@, but is not rate-limited. | tst.js:17:40:17:83 | connect ... ution') | a database access |
 | tst.js:64:25:64:63 | functio ... req); } | This route handler performs $@, but is not rate-limited. | tst.js:64:46:64:60 | verifyUser(req) | authorization |
+| tst.js:76:25:76:53 | catchAs ... ndler1) | This route handler performs $@, but is not rate-limited. | tst.js:14:40:14:46 | login() | authorization |
+| tst.js:78:60:78:76 | expensiveHandler1 | This route handler performs $@, but is not rate-limited. | tst.js:14:40:14:46 | login() | authorization |
+| tst.js:79:60:79:88 | catchAs ... ndler1) | This route handler performs $@, but is not rate-limited. | tst.js:14:40:14:46 | login() | authorization |

javascript/ql/test/query-tests/Security/CWE-770/tst.js

@@ -71,3 +71,9 @@ const rateLimiterMiddleware = (req, res, next) => {
   rateLimiter.consume(req.ip).then(next).catch(res.status(429).send('rate limited'));
 };
 express().get('/:path', rateLimiterMiddleware, expensiveHandler1);
+
+const catchAsync = fn => (...args) => fn(...args).catch(args[2]);
+express().get('/:path', catchAsync(expensiveHandler1)); // NOT OK
+express().get('/:path', rateLimiterMiddleware, catchAsync(expensiveHandler1)); // OK
+express().get('/:path', catchAsync(rateLimiterMiddleware), expensiveHandler1); // OK
+express().get('/:path', catchAsync(rateLimiterMiddleware), catchAsync(expensiveHandler1)); // OK