add taint through the normalize-url library

Author: erik-krogh

javascript/change-notes/2021-07-14-querystring.md

@@ -1,4 +1,5 @@
 lgtm,codescanning
 * The security queries now track taint through more query string parsers.
   Affected packages are
-    [qs](https://npmjs.com/package/qs)
+    [qs](https://npmjs.com/package/qs),
+    [normailize-url](https://npmjs.com/package/normalize-url)

javascript/ql/src/semmle/javascript/frameworks/UriLibraries.qll

@@ -279,6 +279,18 @@ private class QsStep extends TaintTracking::SharedTaintStep {
   }
 }
 
+/**
+ * A taint step through a call to [normalize-url](https://npmjs.com/package/normalize-url)
+ */
+private class NormalizeUrlStep extends TaintTracking::SharedTaintStep {
+  override predicate uriStep(DataFlow::Node pred, DataFlow::Node succ) {
+    exists(API::CallNode call | call = API::moduleImport("normalize-url").getACall() |
+      pred = call.getArgument(0) and
+      succ = call
+    )
+  }
+}
+
 /**
  * Provides steps for the `goog.Uri` class in the closure library.
  */