JS: recognize Express headers as RequestInputAccess

javascript/ql/src/semmle/javascript/frameworks/Express.qll

@@ -479,6 +479,17 @@ module Express {
           methodName = "header"
         )
         or
+        exists (DataFlow::PropRead headers |
+          // `req.headers.name`
+          kind = "header" and
+          headers.accesses(request, "headers") and
+          this = headers.getAPropertyRead(_))
+        or
+        exists (string propName | propName = "host" or propName = "hostname" |
+          // `req.host` and `req.hostname` are derived from headers
+          kind = "header" and
+          this.(DataFlow::PropRead).accesses(request, propName))
+        or
         // `req.cookies`
         kind = "cookie" and
         this.(DataFlow::PropRef).accesses(request, "cookies")