add file write model for express-fileupload mv

javascript/ql/lib/semmle/javascript/frameworks/ExpressModules.qll

@@ -226,3 +226,30 @@ module ExpressLibraries {
     predicate producesUserControlledObjects() { isJson() or isExtendedUrlEncoded() }
   }
 }
+
+/**
+ * Provides classes for working with the `express-fileupload` package (https://github.com/richardgirges/express-fileupload);
+ */
+module FileUpload {
+  /** Gets a data flow node referring to `req.files`. */
+  private DataFlow::SourceNode filesRef(Express::RequestSource req, DataFlow::TypeTracker t) {
+    t.start() and
+    result = req.ref().getAPropertyRead("files")
+    or
+    exists(DataFlow::TypeTracker t2 | result = filesRef(req, t2).track(t2, t))
+  }
+
+  /**
+   * A call to `req.files.<name>.mv`
+   */
+  class Move extends FileSystemWriteAccess, DataFlow::MethodCallNode {
+    Move() {
+      exists(DataFlow::moduleImport("express-fileupload")) and
+      this = filesRef(_, DataFlow::TypeTracker::end()).getAPropertyRead().getAMethodCall("mv")
+    }
+
+    override DataFlow::Node getAPathArgument() { result = getArgument(0) }
+
+    override DataFlow::Node getADataNode() { none() }
+  }
+}