JS: Recognize Express param value callback as RemoteFlowSource

Author: asgerf

javascript/ql/src/semmle/javascript/frameworks/Express.qll

@@ -479,6 +479,13 @@ module Express {
       or
       kind = "body" and
       this.asExpr() = rh.getARequestBodyAccess()
+      or
+      // `value` in `router.param('foo', (req, res, next, value) => { ... })`
+      kind = "parameter" and
+      exists(RouteSetup setup | rh = setup.getARouteHandler() |
+        setup.getMethodName() = "param" and
+        this = rh.(DataFlow::FunctionNode).getParameter(3)
+      )
     }
 
     override RouteHandler getRouteHandler() { result = rh }

javascript/ql/test/library-tests/frameworks/Express/src/params.js

@@ -0,0 +1,14 @@
+var express = require('express');
+var app = express();
+
+app.param('foo', (req, res, next, value) => {
+    if (value) {
+        res.send(value);
+    } else {
+        next();
+    }
+});
+
+app.get('/hello/:foo', function(req, res) {
+  res.send("Hello");
+});