JS: Use StringReplaceCall

Author: asgerf

javascript/ql/src/semmle/javascript/StandardLibrary.qll

@@ -121,6 +121,11 @@ class StringReplaceCall extends DataFlow::MethodCallNode {
    */
   DataFlow::Node getRawReplacement() { result = getArgument(1) }
 
+  /**
+   * Gets a function flowing into the second argument of this call to `replace`.
+   */
+  DataFlow::FunctionNode getReplacementCallback() { result = getCallback(1) }
+
   /**
    * Holds if this is a global replacement, that is, the first argument is a regular expression
    * with the `g` flag.

javascript/ql/src/semmle/javascript/dataflow/TaintTracking.qll

@@ -757,9 +757,8 @@ module TaintTracking {
     private predicate staticRegExpCaptureStep(DataFlow::Node pred, DataFlow::Node succ) {
       getACaptureSetter(pred) = getANodeReachingCaptureRef(succ)
       or
-      exists(DataFlow::MethodCallNode replace |
-        replace.getMethodName() = "replace" and
-        getANodeReachingCaptureRef(succ) = replace.getCallback(1).getFunction().getEntry() and
+      exists(StringReplaceCall replace |
+        getANodeReachingCaptureRef(succ) = replace.getReplacementCallback().getFunction().getEntry() and
         pred = replace.getReceiver()
       )
     }