Merge pull request #13841 from jeongsoolee09/log-injection-mad

JS: Add support for log injection in MaD

Author: asgerf

docs/codeql/codeql-language-guides/customizing-library-models-for-javascript.rst

@@ -471,6 +471,7 @@ Unlike sources, sinks tend to be highly query-specific, rarely affecting more th
 - **request-forgery**: A sink that controls the URL of a request, such as in a **fetch** call.
 - **url-redirection**: A sink that can be used to redirect the user to a malicious URL.
 - **unsafe-deserialization**: A deserialization sink that can lead to code execution or other unsafe behaviour, such as an unsafe YAML parser.
+- **log-injection**: A sink that can be used for log injection, such as in a **console.log** call.
 
 Summary kinds
 ~~~~~~~~~~~~~

javascript/ql/lib/change-notes/2023-07-28-mad-log-injection.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `log-injection` as a customizable sink kind for log injection.

javascript/ql/lib/semmle/javascript/security/dataflow/LogInjectionQuery.qll

@@ -66,3 +66,7 @@ class HtmlSanitizer extends Sanitizer instanceof HtmlSanitizerCall { }
 class JsonStringifySanitizer extends Sanitizer {
   JsonStringifySanitizer() { this = any(JsonStringifyCall c).getOutput() }
 }
+
+private class SinkFromModel extends Sink {
+  SinkFromModel() { this = ModelOutput::getASinkNode("log-injection").asSink() }
+}