JS: Add steps into static regexp capture group references

[asgerf]

Adds taint steps from regexp matching to a following use of RegExp.$1 or similar.

• This query console run shows a bunch of new taint steps.
• security/smoke-test looks uneventful, but also showing a couple of new taint steps.

Note that we don't check if the regexp in the capture group is restrictive enough to sanitize the input. I've (re)created an issue for it here.

Also note that RegExp.$1 and friends are only assigned to on a successful match. If the match fails, the old values remain. I added test cases to explain this, but couldn't find any real-world examples where this mattered, so I kept it simple by just assuming every match erases the old values, regardless of whether there is a success check.

Fixes #3739.

[erik-krogh]

I think this is a better solution than the basic-block based idea I had to solve the same issue 👍

Just some small docstring comments from my end.

I'm also interested in seeing how it scales to larger benchmarks.

[esbena]

Suggested change

	exists(DataFlow::MethodCallNode replace |
	replace.getMethodName() = "replace" and
	getANodeReachingCaptureRef(succ) = replace.getCallback(1).getFunction().getEntry() and
	pred = replace.getReceiver()
	)
	exists(StringReplaceCall replace |
	getANodeReachingCaptureRef(succ) = replace.getRawReplacement().getFunction().getEntry() and
	pred = replace.getReceiver()
	)

[asgerf]

We'd need getALocalSource().(DataFlow::FunctionNode). in there as well, which was a bit verbose, so I added StringReplaceCall.getReplacementCallback() instead, PTAL.

[asgerf]

Running an evaluation on big-apps.

[asgerf]

Big-apps evaluation went fine.

[asgerf]

@esbena can I get an approve? You're still requesting changes.