JS: improve model of express' req.sendFile

Author: Esben Sparre Andreasen

javascript/ql/src/semmle/javascript/frameworks/Express.qll

@@ -824,14 +824,18 @@ module Express {
   }
 
   /** A call to `response.sendFile`, considered as a file system access. */
-  private class ResponseSendFileAsFileSystemAccess extends FileSystemAccess, DataFlow::ValueNode {
+  private class ResponseSendFileAsFileSystemAccess extends FileSystemReadAccess, DataFlow::ValueNode {
     override MethodCallExpr astNode;
 
     ResponseSendFileAsFileSystemAccess() {
       exists (string name | name = "sendFile" or name = "sendfile" |
         asExpr().(MethodCallExpr).calls(any(ResponseExpr res), name))
     }
 
+    override DataFlow::Node getADataNode() {
+      none()
+    }
+
     override DataFlow::Node getAPathArgument() {
       result = DataFlow::valueNode(astNode.getArgument(0))
     }

javascript/ql/test/query-tests/Security/CWE-200/express-send-file.js

@@ -0,0 +1,6 @@
+var express = require('express'),
+    app = express();
+
+app.get('/getFooFile', function(req, res) {
+    res.sendFile("foo"); // OK (for now) since this is a server-side response
+});