JS: Add test case for RequestForgery with url wrapped via package URL

Author: Napalys

javascript/ql/test/query-tests/Security/CWE-918/serverSide.js

@@ -133,3 +133,12 @@ var server2 = http.createServer(function(req, res) {
     var myEncodedUrl = `${something}/bla/${encodeURIComponent(tainted)}`; 
     axios.get(myEncodedUrl);
 })
+
+var server2 = http.createServer(function(req, res) {
+  const { URL } = require('url'); 
+  const input = req.query.url; // $MISSING:Source[js/request-forgery]
+  const target = new URL(input);
+  axios.get(target.toString()); // $MISSING:Alert[js/request-forgery]
+  axios.get(target); // $MISSING:Alert[js/request-forgery]
+  axios.get(target.href); // $MISSING:Alert[js/request-forgery]
+});