treat Base64 manipulations as non-sinks

Author: esbena

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/CoreKnowledge.qll

@@ -205,4 +205,7 @@ predicate isOtherModeledArgument(DataFlow::Node n, FilteringReason reason) {
     exists(DataFlow::FunctionNode f | call = f.getLastParameter().getACall()) and
     reason instanceof NextFunctionCallReason
   )
+  or
+  (exists(Base64::Decode d | n = d.getInput()) or exists(Base64::Encode d | n = d.getInput())) and
+  reason instanceof Base64ManipulationReason
 }

javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/FilteringReasons.qll

@@ -29,7 +29,8 @@ newtype TFilteringReason =
   TArgumentToArrayReason() or
   TArgumentToBuiltinGlobalVarRefReason() or
   TConstantReceiverReason() or
-  TBuiltinCallNameReason()
+  TBuiltinCallNameReason() or
+  TBase64ManipulationReason()
 
 /** A reason why a particular endpoint was filtered out by the endpoint filters. */
 abstract class FilteringReason extends TFilteringReason {
@@ -194,3 +195,9 @@ class BuiltinCallNameReason extends NotASinkReason, TBuiltinCallNameReason {
 
   override int getEncoding() { result = 27 }
 }
+
+class Base64ManipulationReason extends NotASinkReason, TBase64ManipulationReason {
+  override string getDescription() { result = "Base64Manipulation" }
+
+  override int getEncoding() { result = 28 }
+}