JS: Add sinks mentioned in doc

Note that 'sql-injection' was already added

javascript/ql/lib/semmle/javascript/frameworks/NoSQL.qll

@@ -11,6 +11,10 @@ module NoSql {
     /** Gets an expression that is interpreted as a code operator in this query. */
     DataFlow::Node getACodeOperator() { none() }
   }
+
+  private class QueryFromModel extends Query {
+    QueryFromModel() { this = ModelOutput::getASinkNode("nosql-injection").asSink() }
+  }
 }
 
 /** DEPRECATED: Alias for NoSql */

javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll

@@ -235,4 +235,8 @@ module ClientSideUrlRedirect {
       this = NextJS::nextRouter().getAMemberCall(["push", "replace"]).getArgument(0)
     }
   }
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("url-redirection").asSink() }
+  }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/CodeInjectionCustomizations.qll

@@ -410,4 +410,8 @@ module CodeInjection {
 
   /** DEPRECATED: Alias for JsonStringifySanitizer */
   deprecated class JSONStringifySanitizer = JsonStringifySanitizer;
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("code-injection").asSink() }
+  }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll

@@ -50,4 +50,8 @@ module CommandInjection {
   class SystemCommandExecutionSink extends Sink, DataFlow::ValueNode {
     SystemCommandExecutionSink() { this = any(SystemCommandExecution sys).getACommandArgument() }
   }
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("command-line-injection").asSink() }
+  }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/DomBasedXssCustomizations.qll

@@ -342,4 +342,8 @@ module DomBasedXss {
       outcome = super.getPolarity()
     }
   }
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("html-injection").asSink() }
+  }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/ReflectedXssCustomizations.qll

@@ -150,4 +150,8 @@ module ReflectedXss {
       this.(Http::RequestHeaderAccess).getAHeaderName() = "referer"
     }
   }
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("html-injection").asSink() }
+  }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll

@@ -73,4 +73,12 @@ module RequestForgery {
       pred = url.getArgument(0)
     )
   }
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("request-forgery").asSink() }
+
+    override DataFlow::Node getARequest() { result = this }
+
+    override string getKind() { result = "endpoint" }
+  }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/ServerSideUrlRedirectCustomizations.qll

@@ -62,4 +62,8 @@ module ServerSideUrlRedirect {
       )
     }
   }
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("url-redirection").asSink() }
+  }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

@@ -946,4 +946,8 @@ module TaintedPath {
       )
     )
   }
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("path-injection").asSink() }
+  }
 }

javascript/ql/lib/semmle/javascript/security/dataflow/UnsafeDeserializationCustomizations.qll

@@ -49,4 +49,8 @@ module UnsafeDeserialization {
       )
     }
   }
+
+  private class SinkFromModel extends Sink {
+    SinkFromModel() { this = ModelOutput::getASinkNode("unsafe-deserialization").asSink() }
+  }
 }