Manage chain calls of extend.

Author: Napalys

javascript/ql/lib/semmle/javascript/frameworks/ClientRequests.qll

@@ -414,13 +414,21 @@ module ClientRequest {
     }
   }
 
+  /**
+   * Gets a reference to an instance of the `got` library, including instances
+   * created through chained `extend` calls.
+   */
+  private API::Node getAGotInstance() {
+    result = [API::moduleImport("got"), getAGotInstance().getMember("extend").getReturn()]
+  }
+
   /**
    * A model of a URL request made using the `got` library.
    */
   class GotUrlRequest extends ClientRequest::Range {
     GotUrlRequest() {
       exists(API::Node callee, API::Node got | this = callee.getACall() |
-        got = [API::moduleImport("got"), API::moduleImport("got").getMember("extend").getReturn()] and
+        got = getAGotInstance() and
         callee = [got, got.getMember(["stream", "get", "post", "put", "patch", "head", "delete"])]
       )
     }

javascript/ql/test/library-tests/frameworks/ClientRequests/tst.js

@@ -329,13 +329,13 @@ function gotTests(url){
     got(undefined, undefined, Options({url})); // undefined is flagged, but should be url from options
 
     const options2 = new Options({url});
-    got.extend(options2).extend(options).get(); // not flagged
+    got.extend(options2).extend(options).get(); // call flagged not the actual url flow
 
     got.paginate(url, {}); // not flagged 
 
     const jsonClient = got.extend({url: url});
     jsonClient.get(); // call flagged not the actual url flow
 
     const jsonClient2 = got.extend({url: url}).extend({url: url});
-    jsonClient2.get(); // not flagged
+    jsonClient2.get(); // call flagged not the actual url flow
 }