JavaScript: Add tar-stream extraction to ZipSlip query.

javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/TarSlipBad.js

@@ -0,0 +1,18 @@
+const fs = require('fs');
+const tar = require('tar-stream');
+const extract = tar.extract();
+
+extract.on('entry', (header, stream, next) => {
+  const out = fs.createWriteStream(header.name);
+  stream.pipe(out);
+  stream.on('end', () => {
+    next();
+  })
+  stream.resume();
+})
+
+extract.on('finish', ()  => {
+  console.log('finished');
+});
+
+fs.createReadStream('./bad.tar').pipe(extract);

javascript/ql/test/query-tests/Security/CWE-022/ZipSlip/ZipSlip.expected

@@ -1,4 +1,5 @@
 nodes
+| TarSlipBad.js:6:36:6:46 | header.name |
 | ZipSlipBad2.js:5:9:5:46 | fileName |
 | ZipSlipBad2.js:5:20:5:46 | 'output ... ry.path |
 | ZipSlipBad2.js:5:37:5:46 | entry.path |
@@ -13,5 +14,6 @@ edges
 | ZipSlipBad.js:7:11:7:31 | fileName | ZipSlipBad.js:8:37:8:44 | fileName |
 | ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:7:11:7:31 | fileName |
 #select
+| TarSlipBad.js:6:36:6:46 | header.name | TarSlipBad.js:6:36:6:46 | header.name | TarSlipBad.js:6:36:6:46 | header.name | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | TarSlipBad.js:6:36:6:46 | header.name | item path |
 | ZipSlipBad2.js:6:22:6:29 | fileName | ZipSlipBad2.js:5:37:5:46 | entry.path | ZipSlipBad2.js:6:22:6:29 | fileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlipBad2.js:5:37:5:46 | entry.path | item path |
 | ZipSlipBad.js:8:37:8:44 | fileName | ZipSlipBad.js:7:22:7:31 | entry.path | ZipSlipBad.js:8:37:8:44 | fileName | Unsanitized zip archive $@, which may contain '..', is used in a file system operation. | ZipSlipBad.js:7:22:7:31 | entry.path | item path |