JS: add newline removal whitelist for js/incomplete-sanitization

javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql

@@ -129,6 +129,20 @@ predicate isDelimiterUnwrapper(
   )
 }
 
+/*
+ * Holds if `repl` is a standalone use of `String.prototype.replace` to remove a single newline.
+ */
+
+predicate removesTrailingNewLine(DataFlow::MethodCallNode repl) {
+  repl.getMethodName() = "replace" and
+  repl.getArgument(0).mayHaveStringValue("\n") and
+  repl.getArgument(1).mayHaveStringValue("") and
+  not exists(DataFlow::MethodCallNode other | other.getMethodName() = "replace" |
+    repl.getAMethodCall() = other or
+    other.getAMethodCall() = repl
+  )
+}
+
 from MethodCallExpr repl, Expr old, string msg
 where
   repl.getMethodName() = "replace" and
@@ -153,7 +167,9 @@ where
     not DataFlow::valueNode(repl.getReceiver()) = DataFlow::valueNode(repl).getASuccessor+() and
     // dont' flag unwrapper
     not isDelimiterUnwrapper(repl.flow(), _) and
-    not isDelimiterUnwrapper(_, repl.flow())
+    not isDelimiterUnwrapper(_, repl.flow()) and
+    // dont' flag the removal of trailing newlines
+    not removesTrailingNewLine(repl.flow())
     or
     exists(RegExpLiteral rel |
       isBackslashEscape(repl, rel) and

javascript/ql/test/query-tests/Security/CWE-116/IncompleteSanitization/IncompleteSanitization.expected

@@ -25,7 +25,6 @@
 | tst.js:140:2:140:27 | s.repla ... replace | This replaces only the first occurrence of /}/. |
 | tst.js:141:2:141:10 | s.replace | This replaces only the first occurrence of ']'. |
 | tst.js:141:2:141:27 | s.repla ... replace | This replaces only the first occurrence of '['. |
-| tst.js:146:2:146:68 | require ... replace | This replaces only the first occurrence of "\\n". |
 | tst.js:148:2:148:10 | x.replace | This replaces only the first occurrence of "\\n". |
 | tst.js:149:2:149:24 | x.repla ... replace | This replaces only the first occurrence of "\\n". |
 | tst.js:193:9:193:17 | s.replace | This replaces only the first occurrence of /'/. |