JS: Use post-processed inline test in MissingCsrfMiddleware

This query flags the cookie-parsing middleware in order to consolidate huge numbers of alerts into a single alert, which is more manageable. But simply annotating the cookie-parsing middleware with 'Alert' isn't a very useful, we want to annotate which middlewares are vulnerable.

javascript/ql/test/query-tests/Security/CWE-352/csurf_example.js

@@ -15,7 +15,7 @@ var app = express()
 
 // parse cookies
 // we need this because "cookie" is true in csrfProtection
-app.use(cookieParser())
+app.use(cookieParser()) // $ Alert
 
 app.get('/form', csrfProtection, function (req, res) { // OK
   let newEmail = req.cookies["newEmail"];
@@ -28,7 +28,7 @@ app.post('/process', parseForm, csrfProtection, function (req, res) { // OK
   res.send('data is being processed')
 })
 
-app.post('/process_unsafe', parseForm, function (req, res) { // NOT OK
+app.post('/process_unsafe', parseForm, function (req, res) {
   let newEmail = req.cookies["newEmail"];
   res.send('data is being processed')
-})
+}) // $ RelatedLocation