Description
Description of the false positive
CodeQL is reporting a log injection vulnerability even though I am deleting the problematic characters with Kotlin's replace function call with a Regex as its first parameter.
Reading the query (https://github.com/github/codeql/blob/main/java/ql/lib/semmle/code/java/security/LogInjection.qll) I suspect that's because it searches for uses of replace with either Strings or Chars as arguments (in order to check for line break removal), but not uses of replace with Regex as its first argument (in Kotlin, there is no replaceAll function, there is only a replace that can accept either String, Char or Regex).
I have also looked at the tests (https://github.com/github/codeql/blob/main/java/ql/test/query-tests/security/CWE-117/LogInjectionTest.java) and that's why I belive this might be the reason, as the tests always use replaceAll when working with regular expressions (as it is a Java file).
Code samples or links to source code
private fun baseSanitize(param: String) = param.replace(Regex("[^a-zA-Z0-9_-]"), "")
private fun baseSanitize(param: String) = param.replace("[^a-zA-Z0-9_-]".toRegex(), "")
private fun baseSanitize(param: String) = param.replace("\\W".toRegex(), "")