add remote flow source for busboy

javascript/ql/src/javascript.qll

@@ -85,10 +85,11 @@ import semmle.javascript.frameworks.Electron
 import semmle.javascript.frameworks.EventEmitter
 import semmle.javascript.frameworks.Files
 import semmle.javascript.frameworks.Firebase
-import semmle.javascript.frameworks.Immutable
+import semmle.javascript.frameworks.FormParsers
 import semmle.javascript.frameworks.jQuery
 import semmle.javascript.frameworks.JWT
 import semmle.javascript.frameworks.Handlebars
+import semmle.javascript.frameworks.Immutable
 import semmle.javascript.frameworks.LazyCache
 import semmle.javascript.frameworks.LodashUnderscore
 import semmle.javascript.frameworks.Logging

javascript/ql/src/semmle/javascript/frameworks/FormParsers.qll

@@ -0,0 +1,30 @@
+/**
+ * Provides classes for modelling the server-side form/file parsing libraries.
+ */
+
+import javascript
+
+/**
+ * Classes and predicate modelling the `Busboy` library.
+ */
+module Busboy {
+  /**
+   * A `Busboy` instance that has request data flowing into it.
+   */
+  private DataFlow::NewNode busboy() {
+    result = DataFlow::moduleImport("busboy").getAnInstantiation() and
+    exists(MethodCallExpr pipe |
+      pipe.calls(any(HTTP::RequestExpr req), "pipe") and
+      result.flowsToExpr(pipe.getArgument(0))
+    )
+  }
+
+  /**
+   * A source of remote flow from the `Busboy` library.
+   */
+  class BusBoyRemoteFlow extends RemoteFlowSource {
+    BusBoyRemoteFlow() { this = busboy().getAMemberCall("on").getABoundCallbackParameter(1, _) }
+
+    override string getSourceType() { result = "Busbuy parsed user value" }
+  }
+}