add documentation examples as tests

javascript/ql/test/query-tests/Security/CWE-200/PrivateFileExposure.expected

@@ -18,3 +18,4 @@
 | private-file-exposure.js:41:1:41:97 | app.use ... lar/')) | Serves the folder "/node_modules/angular/", which can contain private information. |
 | private-file-exposure.js:42:1:42:66 | app.use ... dir())) | Serves the home folder , which can contain private information. |
 | private-file-exposure.js:43:1:43:46 | app.use ... )("/")) | Serves the root folder, which can contain private information. |
+| private-file-exposure.js:51:5:51:88 | app.use ... les'))) | Serves the folder "../node_modules", which can contain private information. |

javascript/ql/test/query-tests/Security/CWE-200/private-file-exposure.js

@@ -40,4 +40,23 @@ const connect = require("connect");
 app.use('/angular', connect.static(path.join(__dirname, "/node_modules") + '/angular/')); // NOT OK
 app.use('/angular', require('serve-static')(path.join(__dirname, "/node_modules") + '/angular/')); // NOT OK
 app.use('/home', require('serve-static')(require("os").homedir())); // NOT OK
-app.use('/root', require('serve-static')("/")); // NOT OK
+app.use('/root', require('serve-static')("/")); // NOT OK
+
+// Bad documentation example
+function bad() {
+    var express = require('express');
+
+    var app = express();
+
+    app.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules'))); // NOT OK
+}
+
+// Good documentation example
+function good() {
+    var express = require('express');
+
+    var app = express();
+
+    app.use("jquery", express.static('./node_modules/jquery/dist')); // OK
+    app.use("bootstrap", express.static('./node_modules/bootstrap/dist')); // OK
+}