support the chaining methods on Express apps

javascript/ql/src/semmle/javascript/frameworks/Express.qll

@@ -19,6 +19,9 @@ module Express {
     or
     // `app = express.createServer()`
     result = DataFlow::moduleMember("express", "createServer").getAnInvocation()
+    or
+    // `app = express().disable(x)`, and other chaining methods
+    result = appCreation().getAMemberCall(["engine", "set", "param", "enable", "disable", "on"])
   }
 
   /**

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected

@@ -182,6 +182,11 @@ nodes
 | tst2.js:36:12:36:12 | p |
 | tst2.js:37:12:37:18 | other.p |
 | tst2.js:37:12:37:18 | other.p |
+| tst3.js:5:7:5:24 | p |
+| tst3.js:5:9:5:9 | p |
+| tst3.js:5:9:5:9 | p |
+| tst3.js:6:12:6:12 | p |
+| tst3.js:6:12:6:12 | p |
 edges
 | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
 | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id |
@@ -333,6 +338,10 @@ edges
 | tst2.js:30:9:30:9 | p | tst2.js:30:7:30:24 | p |
 | tst2.js:33:11:33:11 | p | tst2.js:37:12:37:18 | other.p |
 | tst2.js:33:11:33:11 | p | tst2.js:37:12:37:18 | other.p |
+| tst3.js:5:7:5:24 | p | tst3.js:6:12:6:12 | p |
+| tst3.js:5:7:5:24 | p | tst3.js:6:12:6:12 | p |
+| tst3.js:5:9:5:9 | p | tst3.js:5:7:5:24 | p |
+| tst3.js:5:9:5:9 | p | tst3.js:5:7:5:24 | p |
 #select
 | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | ReflectedXss.js:8:33:8:45 | req.params.id | ReflectedXss.js:8:14:8:45 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:8:33:8:45 | req.params.id | user-provided value |
 | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | ReflectedXss.js:17:31:17:39 | params.id | ReflectedXss.js:17:12:17:39 | "Unknow ... rams.id | Cross-site scripting vulnerability due to $@. | ReflectedXss.js:17:31:17:39 | params.id | user-provided value |
@@ -376,3 +385,4 @@ edges
 | tst2.js:21:14:21:14 | p | tst2.js:14:9:14:9 | p | tst2.js:21:14:21:14 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value |
 | tst2.js:36:12:36:12 | p | tst2.js:30:9:30:9 | p | tst2.js:36:12:36:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
 | tst2.js:37:12:37:18 | other.p | tst2.js:30:9:30:9 | p | tst2.js:37:12:37:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
+| tst3.js:6:12:6:12 | p | tst3.js:5:9:5:9 | p | tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to $@. | tst3.js:5:9:5:9 | p | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXssWithCustomSanitizer.expected

@@ -39,3 +39,4 @@
 | tst2.js:21:14:21:14 | p | Cross-site scripting vulnerability due to $@. | tst2.js:14:9:14:9 | p | user-provided value |
 | tst2.js:36:12:36:12 | p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
 | tst2.js:37:12:37:18 | other.p | Cross-site scripting vulnerability due to $@. | tst2.js:30:9:30:9 | p | user-provided value |
+| tst3.js:6:12:6:12 | p | Cross-site scripting vulnerability due to $@. | tst3.js:5:9:5:9 | p | user-provided value |

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/tst3.js

@@ -0,0 +1,7 @@
+var express = require('express');
+
+var app = express();
+app.enable('x-powered-by').disable('x-powered-by').get('/', function (req, res) {
+  let { p } = req.params;
+  res.send(p); // NOT OK
+});