From cf820e76118f1ab21482dc602c7e1fbafde5fee2 Mon Sep 17 00:00:00 2001
From: Jean Helie <jhelie@github.com>
Date: Thu, 24 Mar 2022 13:27:25 +0100
Subject: [PATCH] add defensive check to ensure Unknown endpoints cannot also
 be NotASink

---
 .../modelbuilding/extraction/ExtractEndpointData.qll          | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointData.qll b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointData.qll
index bea47423797..eb2dfcb88f0 100644
--- a/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointData.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/extraction/ExtractEndpointData.qll
@@ -75,7 +75,11 @@ private DataFlow::Node getAnUnknown(Query query) {
     getATMCfg(query).isEffectiveSink(result) or
     getATMCfg(query).isEffectiveSinkWithOverridingScore(result, _, _)
   ) and
+  // Effective sinks should exclude sinks but this is a defensive requirement
   not result = getASink(query) and
+  // Effective sinks should exclude NotASink but for some queries (e.g. Xss) this is currently not always the case and
+  // so this is a defensive requirement
+  not result = getANotASink(_) and
   // Only consider the source code for the project being analyzed.
   exists(result.getFile().getRelativePath())
 }