JS: recognize Express header access with dynamic name

Author: asger-semmle

javascript/ql/src/semmle/javascript/frameworks/Express.qll

@@ -483,7 +483,7 @@ module Express {
           // `req.headers.name`
           kind = "header" and
           headers.accesses(request, "headers") and
-          this = headers.getAPropertyRead(_))
+          this = headers.getAPropertyRead())
         or
         exists (string propName | propName = "host" or propName = "hostname" |
           // `req.host` and `req.hostname` are derived from headers

javascript/ql/test/library-tests/frameworks/Express/RequestInputAccess.expected

@@ -12,6 +12,7 @@
 | src/express.js:28:3:28:16 | req.get("foo") | header | src/express.js:22:30:32:1 | functio ... ar');\\n} |
 | src/express.js:29:3:29:19 | req.header("bar") | header | src/express.js:22:30:32:1 | functio ... ar');\\n} |
 | src/express.js:30:3:30:13 | req.cookies | cookie | src/express.js:22:30:32:1 | functio ... ar');\\n} |
-| src/express.js:47:3:47:17 | req.headers.baz | header | src/express.js:46:22:50:1 | functio ... name;\\n} |
-| src/express.js:48:3:48:10 | req.host | header | src/express.js:46:22:50:1 | functio ... name;\\n} |
-| src/express.js:49:3:49:14 | req.hostname | header | src/express.js:46:22:50:1 | functio ... name;\\n} |
+| src/express.js:47:3:47:17 | req.headers.baz | header | src/express.js:46:22:51:1 | functio ... ame];\\n} |
+| src/express.js:48:3:48:10 | req.host | header | src/express.js:46:22:51:1 | functio ... ame];\\n} |
+| src/express.js:49:3:49:14 | req.hostname | header | src/express.js:46:22:51:1 | functio ... ame];\\n} |
+| src/express.js:50:3:50:32 | req.hea ... erName] | header | src/express.js:46:22:51:1 | functio ... ame];\\n} |

javascript/ql/test/library-tests/frameworks/Express/src/express.js

@@ -47,4 +47,5 @@ app.post('/headers', function(req, res) {
   req.headers.baz;
   req.host;
   req.hostname;
+  req.headers[config.headerName];
 });