JS: Step through string replace callbacks

javascript/ql/src/semmle/javascript/StandardLibrary.qll

@@ -107,7 +107,7 @@ class StringReplaceCall extends DataFlow::MethodCallNode {
   }
 
   /** Gets the regular expression passed as the first argument to `replace`, if any. */
-  DataFlow::RegExpLiteralNode getRegExp() { result.flowsTo(getArgument(0)) }
+  DataFlow::RegExpCreationNode getRegExp() { result.flowsTo(getArgument(0)) }
 
   /** Gets a string that is being replaced by this call. */
   string getAReplacedString() {

javascript/ql/src/semmle/javascript/dataflow/Nodes.qll

@@ -1624,6 +1624,9 @@ class RegExpCreationNode extends DataFlow::SourceNode {
     result = this.(RegExpLiteralNode).getFlags()
   }
 
+  /** Holds if the constructed predicate has the `g` flag. */
+  predicate isGlobal() { RegExp::isGlobal(getFlags()) }
+
   /** Gets a data flow node referring to this regular expression. */
   private DataFlow::SourceNode getAReference(DataFlow::TypeTracker t) {
     t.start() and

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

@@ -697,10 +697,28 @@ module TaintTracking {
           name = "encodeURIComponent" or
           name = "decodeURIComponent"
         )
+        or
+        // In and out of .replace callbacks
+        exists(StringReplaceCall call |
+          // Into the callback if the regexp does not sanitize matches
+          hasWildcardReplaceRegExp(call) and
+          pred = call.getReceiver() and
+          succ = call.getReplacementCallback().getParameter(0)
+          or
+          // Out of the callback
+          pred = call.getReplacementCallback().getReturnNode() and
+          succ = call
+        )
       )
     }
   }
 
+  /** Holds if the given call takes a regexp containing a wildcard. */
+  pragma[noinline]
+  private predicate hasWildcardReplaceRegExp(StringReplaceCall call) {
+    RegExp::isWildcardLike(call.getRegExp().getRoot().getAChild*())
+  }
+
   /**
    * A taint propagating data flow edge arising from string formatting.
    */