Merge pull request #9356 from erik-krogh/getRouting

JS: rewrite js/sensitive-get-query to use routing trees

javascript/ql/test/query-tests/Security/CWE-598/SensitiveGetQuery.expected

@@ -1,3 +1,5 @@
 | tst.js:8:22:8:39 | req.query.password | $@ for GET requests uses query parameter as sensitive data. | tst.js:6:19:14:1 | (req, r ... serId\\n} | Route handler |
 | tst.js:26:22:26:42 | req.par ... sword') | $@ for GET requests uses query parameter as sensitive data. | tst.js:24:20:35:1 | (req, r ...   });\\n} | Route handler |
 | tst.js:31:24:31:40 | req.param('word') | $@ for GET requests uses query parameter as sensitive data. | tst.js:24:20:35:1 | (req, r ...   });\\n} | Route handler |
+| tst.js:39:29:39:41 | query.current | $@ for GET requests uses query parameter as sensitive data. | tst.js:37:19:43:1 | ({query ...   });\\n} | Route handler |
+| tst.js:50:33:50:52 | req.param('current') | $@ for GET requests uses query parameter as sensitive data. | tst.js:48:12:54:5 | (req, r ... ;\\n    } | Route handler |

javascript/ql/test/query-tests/Security/CWE-598/tst.js

@@ -32,4 +32,24 @@ app.get("/login2", (req, res) => {
     checkUser(username, myPassword, (result) => {
         res.send(result);
     });
-});
+});
+
+app.get("/login", ({query}, res) => {
+    const username = query.username; // OK - usernames are fine
+    const currentPassword = query.current; // NOT OK - password read
+    checkUser(username, currentPassword, (result) => {
+        res.send(result);
+    });
+});
+
+app.get('/rest/user/change-password', mkHandler());
+
+function mkHandler() {
+    return (req, res) => {
+        const username = req.param('username'); // OK - usernames are fine
+        const currentPassword = req.param('current'); // NOT OK - password read
+        checkUser(username, currentPassword, (result) => {
+            res.send(result);
+        });
+    }
+}