JS: Mark what seems to be missing alerts for fflate

The query doesn't seem to model or even mention fflate. Not sure if the library is safe or just not modeled.

Author: asgerf

javascript/ql/test/query-tests/Security/CWE-522-DecompressionBombs/fflate.js

@@ -9,14 +9,15 @@ app.listen(3000, () => {
 });
 
 app.post('/upload', async (req, res) => {
-    fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data)); // $ Alert
-    fflate.unzip(new Uint8Array(new Uint8Array(req.files.CompressedFile.data)));
-    fflate.unzlib(new Uint8Array(req.files.CompressedFile.data));
-    fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data));
-    fflate.gunzip(new Uint8Array(req.files.CompressedFile.data));
-    fflate.gunzipSync(new Uint8Array(req.files.CompressedFile.data));
-    fflate.decompress(new Uint8Array(req.files.CompressedFile.data));
-    fflate.decompressSync(new Uint8Array(req.files.CompressedFile.data));
+    // Not sure if these are vulnerable, but currently not modeled
+    fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert
+    fflate.unzip(new Uint8Array(new Uint8Array(req.files.CompressedFile.data))); // $ MISSING: Alert
+    fflate.unzlib(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert
+    fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert
+    fflate.gunzip(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert
+    fflate.gunzipSync(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert
+    fflate.decompress(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert
+    fflate.decompressSync(new Uint8Array(req.files.CompressedFile.data)); // $ MISSING: Alert
 
 
     fflate.unzlibSync(new Uint8Array(req.files.CompressedFile.data), {