From 03ef167c56401ace50c24b99c46a7d755a6eb5b9 Mon Sep 17 00:00:00 2001
From: Asger F <asger@semmle.com>
Date: Thu, 28 Feb 2019 12:37:11 +0000
Subject: [PATCH 1/2] JS: Treat res.end() as alias for res.send() in Express

---
 javascript/ql/src/semmle/javascript/frameworks/Express.qll | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/javascript/ql/src/semmle/javascript/frameworks/Express.qll b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
index bdddd296a6c4..b6f97f4dde4e 100644
--- a/javascript/ql/src/semmle/javascript/frameworks/Express.qll
+++ b/javascript/ql/src/semmle/javascript/frameworks/Express.qll
@@ -604,14 +604,15 @@ module Express {
   }
 
   /**
-   * An argument passed to the `send` method of an HTTP response object.
+   * An argument passed to the `send` or `end` method of an HTTP response object.
    */
   private class ResponseSendArgument extends HTTP::ResponseSendArgument {
     RouteHandler rh;
 
     ResponseSendArgument() {
-      exists(MethodCallExpr mce |
-        mce.calls(rh.getAResponseExpr(), "send") and
+      exists(MethodCallExpr mce, string name |
+        mce.calls(rh.getAResponseExpr(), name) and
+        (name = "send" or name = "end") and
         this = mce.getArgument(0)
       )
     }

From 2dc7f32ca34057ae161dbc06ed40dfcc157d5015 Mon Sep 17 00:00:00 2001
From: Asger F <asger@semmle.com>
Date: Thu, 28 Feb 2019 15:27:49 +0000
Subject: [PATCH 2/2] JS: add Express to list of updated frameworks

---
 change-notes/1.20/analysis-javascript.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/change-notes/1.20/analysis-javascript.md b/change-notes/1.20/analysis-javascript.md
index 13f6af667009..c5710b77b3cd 100644
--- a/change-notes/1.20/analysis-javascript.md
+++ b/change-notes/1.20/analysis-javascript.md
@@ -5,6 +5,7 @@
 * Support for many frameworks and libraries has been improved, in particular including the following:
   - [a-sync-waterfall](https://www.npmjs.com/package/a-sync-waterfall)
   - [Electron](https://electronjs.org)
+  - [Express](https://npmjs.org/express)
   - [hapi](https://hapijs.com/)
   - [js-cookie](https://github.com/js-cookie/js-cookie)
   - [React](https://reactjs.org/)