JS: Use type inference to refine regexp string tracking

javascript/ql/src/semmle/javascript/Regexp.qll

@@ -750,22 +750,25 @@ class RegExpParseError extends Error, @regexp_parse_error {
  * Holds if `source` may be interpreted as a regular expression.
  */
 predicate isInterpretedAsRegExp(DataFlow::Node source) {
-  // The first argument to an invocation of `RegExp` (with or without `new`).
-  source = DataFlow::globalVarRef("RegExp").getAnInvocation().getArgument(0)
-  or
-  // The argument of a call that coerces the argument to a regular expression.
-  exists(MethodCallExpr mce, string methodName |
-    mce.getReceiver().analyze().getAType() = TTString() and
-    mce.getMethodName() = methodName
-  |
-    methodName = "match" and source.asExpr() = mce.getArgument(0) and mce.getNumArgument() = 1
+  source.analyze().getAType() = TTString() and
+  (
+    // The first argument to an invocation of `RegExp` (with or without `new`).
+    source = DataFlow::globalVarRef("RegExp").getAnInvocation().getArgument(0)
     or
-    methodName = "search" and
-    source.asExpr() = mce.getArgument(0) and
-    mce.getNumArgument() = 1 and
-    // "search" is a common method name, and so we exclude chained accesses
-    // because `String.prototype.search` returns a number
-    not exists(PropAccess p | p.getBase() = mce)
+    // The argument of a call that coerces the argument to a regular expression.
+    exists(MethodCallExpr mce, string methodName |
+      mce.getReceiver().analyze().getAType() = TTString() and
+      mce.getMethodName() = methodName
+    |
+      methodName = "match" and source.asExpr() = mce.getArgument(0) and mce.getNumArgument() = 1
+      or
+      methodName = "search" and
+      source.asExpr() = mce.getArgument(0) and
+      mce.getNumArgument() = 1 and
+      // "search" is a common method name, and so we exclude chained accesses
+      // because `String.prototype.search` returns a number
+      not exists(PropAccess p | p.getBase() = mce)
+    )
   )
 }