cache isInterpretedAsRegExp

javascript/ql/lib/semmle/javascript/Regexp.qll

@@ -7,6 +7,7 @@
 
 import javascript
 private import semmle.javascript.dataflow.InferredTypes
+private import semmle.javascript.internal.CachedStages
 
 /**
  * An element containing a regular expression term, that is, either
@@ -955,7 +956,9 @@ private predicate isUsedAsNonMatchObject(DataFlow::MethodCallNode call) {
 /**
  * Holds if `source` may be interpreted as a regular expression.
  */
+cached
 predicate isInterpretedAsRegExp(DataFlow::Node source) {
+  Stages::Taint::ref() and
   source.analyze().getAType() = TTString() and
   (
     // The first argument to an invocation of `RegExp` (with or without `new`).

javascript/ql/lib/semmle/javascript/internal/CachedStages.qll

@@ -260,6 +260,8 @@ module Stages {
       exists(RemoteFlowSource r)
       or
       exists(Exports::getALibraryInputParameter())
+      or
+      any(RegExpTerm t).isUsedAsRegExp()
     }
   }
 }