Fix accidentally removed regex matches for Matcher.matches()

Author: owen-mc

java/ql/lib/semmle/code/java/security/Sanitizers.qll

@@ -43,7 +43,20 @@ class SimpleTypeSanitizer extends DataFlow::Node {
 predicate regexpMatchGuardChecks(Guard guard, Expr e, boolean branch) {
   exists(RegexMatch rm | not rm instanceof Annotation |
     guard = rm and
-    e = rm.getString()
+    (
+      e = rm.getString()
+      or
+      // Special case for MatcherMatchesCall. Consider the following code:
+      //
+      // Matcher matcher = Pattern.compile(regexp).matcher(taintedInput);
+      // if (matcher.matches()) {
+      //     sink(matcher.group(1));
+      // }
+      //
+      // Even though the string is `taintedInput`, we also want to sanitize
+      // `matcher` as it can be used to get substrings of `taintedInput`.
+      e = rm.(MatcherMatchesCall).getQualifier()
+    )
   ) and
   branch = true
 }