JS: Accept MaD sanitizers for queries with MaD sinks

[owen-mc]

I looked through all the existing sanitizers but didn't find any more that could be converted.

Note that two sanitizers for one query were converted in #21004, but actually I have found it necessary to revert the commits for that. The problem is that there isn't a natural sink kind for the query (js/incomplete-html-attribute-sanitization). request-forgery was used, but one of those two methods should not be sanitizers for request forgery.

[Copilot]

Pull request overview

This PR adds support for MaD (Models-as-Data) sanitizers/barriers to JavaScript security queries, following the pattern established in Python (PR #21004). The change enables external model contributors to define sanitizers for security queries that already use MaD sinks.

Changes:

• Added SanitizerFromModel classes to 14 JavaScript security query customization files
• Each sanitizer uses ModelOutput::barrierNode with a kind matching the corresponding SinkFromModel kind
• HardcodedCredentials uses a special pattern to match multiple credential types (credentials-key, credentials-password, credentials-username)

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
UnsafeDeserializationCustomizations.qll	Adds MaD sanitizer support for "unsafe-deserialization" kind
TaintedPathCustomizations.qll	Adds MaD sanitizer support for "path-injection" kind
SqlInjectionCustomizations.qll	Adds MaD sanitizer support for "sql-injection" kind
ServerSideUrlRedirectCustomizations.qll	Adds MaD sanitizer support for "url-redirection" kind
RequestForgeryCustomizations.qll	Adds MaD sanitizer support for "request-forgery" kind
ReflectedXssCustomizations.qll	Adds MaD sanitizer support for "html-injection" kind
NosqlInjectionCustomizations.qll	Adds MaD sanitizer support for "nosql-injection" kind
LogInjectionQuery.qll	Adds MaD sanitizer support for "log-injection" kind
HardcodedCredentialsCustomizations.qll	Adds MaD sanitizer support for "credentials-*" kinds with documentation explaining that all credential sanitizers work for all credential sink types
DomBasedXssCustomizations.qll	Adds MaD sanitizer support for "html-injection" kind
CommandInjectionCustomizations.qll	Adds MaD sanitizer support for "command-injection" kind
CodeInjectionCustomizations.qll	Adds MaD sanitizer support for "code-injection" kind
ClientSideUrlRedirectCustomizations.qll	Adds MaD sanitizer support for "url-redirection" kind
CorsPermissiveConfigurationCustomizations.qll	Adds MaD sanitizer support for "cors-origin" kind