add qhelp for js/exposure-of-private-files

Author: erik-krogh

javascript/ql/src/Security/CWE-200/PrivateFileExposure.qhelp

@@ -5,20 +5,33 @@
 
 <overview>
   <p>
-    Placeholder
+    Libraries like <code>express</code> provide easy methods for serving entire 
+    directories of static files from a web server.
+    However, using these can sometimes lead to accidential information exposure. 
+    If for example the <code>node_modules</code> folder is served, then an attacker
+    can access the <code>_where</code> field from a <code>package.json</code> file, 
+    which gives the attacker access to the absolute path of the file. 
   </p>
 </overview>
 
 <recommendation>
   <p>
-    Placeholder
+    Limit which folders of static files are served from a web server.
   </p>
 </recommendation>
 
 <example>
   <p>
-    Placeholder
+    In the example below all the files from the <code>node_modules</code> are served. 
+    This allows clients easy access to all files inside that folder, but also allows
+    access to potentially private information inside <code>package.json</code> files. 
   </p>
+  <sample src="examples/FileAccessToHttp.js"/>
+  <p>
+    The issue has been fixed in the below by only serving specific folders within the
+    <code>node_modules</code> folder.
+  </p>
+  <sample src="examples/FileAccessToHttpFixed.js"/>
 </example>
 
 <references>

javascript/ql/src/Security/CWE-200/examples/PrivateFileExposure.js

@@ -0,0 +1,6 @@
+
+var express = require('express');
+
+var app = express();
+
+app.use('/node_modules', express.static(path.resolve(__dirname, '../node_modules')));

javascript/ql/src/Security/CWE-200/examples/PrivateFileExposureFixed.js

@@ -0,0 +1,7 @@
+
+var express = require('express');
+
+var app = express();
+
+app.use("jquery", express.static('./node_modules/jquery/dist'));
+app.use("bootstrap", express.static('./node_modules/bootstrap/dist'));