JavaScript: Pull reasoning about encode/encrypt-like calls into library.

javascript/ql/src/semmle/javascript/security/SensitiveActions.qll

@@ -144,6 +144,15 @@ class AuthorizationCall extends SensitiveAction, DataFlow::CallNode {
   }
 }
 
+/** A call to a function whose name suggests that it encodes or encrypts its arguments. */
+class ProtectCall extends DataFlow::CallNode {
+  ProtectCall() {
+    exists(string s | getCalleeName().regexpMatch("(?i).*" + s + ".*") |
+      s = "protect" or s = "encode" or s = "encrypt"
+    )
+  }
+}
+
 /**
  * Classes for expressions containing cleartext passwords.
  */

javascript/ql/src/semmle/javascript/security/dataflow/CleartextStorage.qll

@@ -53,14 +53,8 @@ module CleartextStorage {
     override string describe() { result = astNode.describe() }
   }
 
-  /** A call to any method whose name suggests that it encodes or encrypts the parameter. */
-  class ProtectSanitizer extends Sanitizer, DataFlow::ValueNode {
-    ProtectSanitizer() {
-      exists(string s | astNode.(CallExpr).getCalleeName().regexpMatch("(?i).*" + s + ".*") |
-        s = "protect" or s = "encode" or s = "encrypt"
-      )
-    }
-  }
+  /** A call to any function whose name suggests that it encodes or encrypts its arguments. */
+  class ProtectSanitizer extends Sanitizer { ProtectSanitizer() { this instanceof ProtectCall } }
 
   /**
    * An expression set as a value on a cookie instance.