This is an alternative presentation of the query from the blog post about Detecting Reflected File Download vulnerabilities using QL, phrasing it as a customization of Semmle's standard Reflected XSS query.

Use this snapshot (etherpad-lite v1.6.2) for the initial stages of the development. All snapshots were built using version 1.9.3 of the Semmle toolchain; if you are using 1.20 or newer you will need to upgrade them.

• 01_ReflectedXss.ql: The standard query; finds nothing. The reason is that etherpad-lite uses Swagger for implementing its REST API, which is not supported out of the box. The next few queries build up a basic model of Swagger that is rich enough to find the vulnerability.
• 02_SwaggerRouteHandler.ql: A query for finding places where Swagger is used to install an Express HTTP route handler. Note that the newly introduced class extends Express::RouteHandler from the standard library, so the standard HTTP server model can now be used to reason about Swagger-based APIs.
• 03_ResponseSendArgument.ql: A query for finding HTTP responses using the standard HTTP server model plus the extension developed in the previous query. Results are disappointing.
• 04_ResponseSendAccess.ql: To figure out what's going on, we instead just look for all references to the HTTP send method. The results show that etherpad-lite wraps that method and replaces it with a custom send method that ultimately delegates to the standard method.
• 05_ResponseSendArgumentWithAliasing.ql: We can model this wrapping process, yielding an improved version of 03_ResponseSendArgument.ql.
• 06_ReflectedXss.ql: Including all of the above extensions in the standard XSS query finds a true-positive result. This is the one we reported.

The developers fixed the vulnerability by introducing a sanitizer using the is-var-name npm package. This snapshot corresponds to the fix commit.

The standard library does not include a model for is-var-name (it is not a very widely used package), but 07_ReflectedXssWithSanitizer.ql shows that it is very easy to add, making the result go away.

Later on, this sanitizer was replaced with a custom sanitizer, which is, unfortunately, ineffective. (This snapshot of etherpad-lite v1.6.4 contains the new sanitizer.) However, all browsers mitigate against reflected file download vulnerabilities these days, so while the vulnerability still exists, it is no longer exploitable.