JS: recognize Express headers as RequestInputAccess

javascript/ql/src/semmle/javascript/frameworks/Express.qll

@@ -479,6 +479,17 @@ module Express {
           methodName = "header"
         )
         or
+        exists (DataFlow::PropRead headers |
+          // `req.headers.name`
+          kind = "header" and
+          headers.accesses(request, "headers") and
+          this = headers.getAPropertyRead(_))
+        or
+        exists (string propName | propName = "host" or propName = "hostname" |
+          // `req.host` and `req.hostname` are derived from headers
+          kind = "header" and
+          this.(DataFlow::PropRead).accesses(request, propName))
+        or
         // `req.cookies`
         kind = "cookie" and
         this.(DataFlow::PropRef).accesses(request, "cookies")

javascript/ql/test/library-tests/frameworks/Express/RequestInputAccess.expected

@@ -12,3 +12,6 @@
 | src/express.js:28:3:28:16 | req.get("foo") | header | src/express.js:22:30:32:1 | functio ... ar');\\n} |
 | src/express.js:29:3:29:19 | req.header("bar") | header | src/express.js:22:30:32:1 | functio ... ar');\\n} |
 | src/express.js:30:3:30:13 | req.cookies | cookie | src/express.js:22:30:32:1 | functio ... ar');\\n} |
+| src/express.js:47:3:47:17 | req.headers.baz | header | src/express.js:46:22:50:1 | functio ... name;\\n} |
+| src/express.js:48:3:48:10 | req.host | header | src/express.js:46:22:50:1 | functio ... name;\\n} |
+| src/express.js:49:3:49:14 | req.hostname | header | src/express.js:46:22:50:1 | functio ... name;\\n} |

javascript/ql/test/library-tests/frameworks/Express/src/express.js

@@ -42,3 +42,9 @@ function getArrowHandler() {
     return (req, res) => f();
 }
 app.use(getArrowHandler());
+
+app.post('/headers', function(req, res) {
+  req.headers.baz;
+  req.host;
+  req.hostname;
+});