JS: Added test cases with new RegExp for Tainted paths, currently works only with literals

Author: Napalys

javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll

@@ -221,10 +221,10 @@ module TaintedPath {
       this instanceof StringReplaceCall and
       input = this.getReceiver() and
       output = this and
-      not exists(RegExpLiteral literal, RegExpTerm term |
-        this.(StringReplaceCall).getRegExp().asExpr() = literal and
+      not exists(DataFlow::RegExpCreationNode regexp, RegExpTerm term |
+        this.(StringReplaceCall).getRegExp() = regexp and
         this.(StringReplaceCall).isGlobal() and
-        literal.getRoot() = term
+        regexp.getRoot() = term
       |
         term.getAMatchedString() = "/" or
         term.getAMatchedString() = "." or

javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/Consistency.expected

@@ -0,0 +1 @@
+| TaintedPath.js:207 | did not expect an alert, but found an alert for TaintedPath | OK -- Might be okay depending on what unknownFlags evaluates to. |  |