Added data extension to allow setting extra required Helmet features

Author: aegilops

javascript/ql/src/Security/CWE-693/InsecureHelmet.qhelp

@@ -2,7 +2,7 @@
 <qhelp>
     <overview>
         <p>
-            <a href="https://helmetjs.github.io/">Helmet</a> is a collection of middleware functions for securing Express apps. It sets various HTTP headers to guard against common web vulnerabilities.
+            <a href="https://helmetjs.github.io/">Helmet</a> is a collection of middleware functions for securing Express apps. It sets various HTTP headers to guard against common web vulnerabilities.<br>
 
             This query detects Helmet misconfigurations that can lead to security vulnerabilities, specifically:
         </p>
@@ -13,10 +13,28 @@
         </ul>
 
         <p>
-            Content Security Policy (CSP) helps spot and prevent injection attacks such as Cross-Site Scripting (XSS).
+            Content Security Policy (CSP) helps spot and prevent injection attacks such as Cross-Site Scripting (XSS).<br>
 
             Removing frame protections exposes an application to attacks such as clickjacking, where an attacker can trick a user into clicking on a button or link on a targeted page when they intended to click on the page carrying out the attack.
         </p>
+
+        <p>
+            Users of the query can extend the set of required Helmet features by adding additional checks for them, using CodeQL <a href="https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/">data extensions</a>.
+        </p>
+
+        <pre>
+        extensions:
+          - addsTo:
+              pack: codeql/javascript-all
+              extensible: requiredHelmetSecuritySetting
+            data:
+              - name: "frameguard"
+        </pre>
+
+        <p>
+            Note: <code>frameguard</code> is an example: the query already enforces this setting, so it is not necessary to add it to the data extension. 
+        </p>
+
     </overview>
     <recommendation>
         <p>

javascript/ql/src/Security/CWE-693/InsecureHelmet.ql

@@ -27,10 +27,27 @@ class HelmetProperty extends Property {
   predicate isImportantSecuritySetting() {
     this.getName() in ["frameguard", "contentSecurityPolicy"]
     // read from data extensions to allow enforcing other settings
-    // TODO
+    or requiredHelmetSecuritySetting(this.getName())
   }
 }
 
+/*
+ * Extend the required Helmet security settings using data extensions.
+ * Docs: https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-javascript/
+ * For example:
+
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: requiredHelmetSecuritySetting
+    data:
+      - name: "frameguard"
+
+ * Note: `frameguard` is an example: the query already enforces this setting, so it is not necessary to add it to the data extension. 
+
+ */
+extensible predicate requiredHelmetSecuritySetting(string name);
+
 from HelmetProperty helmetSetting, ExpressLibraries::HelmetRouteHandler helmet
 where
   helmetSetting.isFalse() and