Fix, prevent addHook return values from being treated as XSS sinks

Author: Napalys

javascript/ql/lib/semmle/javascript/frameworks/Fastify.qll

@@ -175,6 +175,9 @@ module Fastify {
     AddHookRouteSetup() { this.getMethodName() = "addHook" }
 
     override predicate isMiddlewareSetup() { any() }
+
+    /** Gets the route handler that is being registered. */
+    RouteHandler getARouteHandler() { result = this.getArgument(1) }
   }
 
   /** Gets the name of the `n`th handler function that can be installed a route setup, in order of execution. */
@@ -328,7 +331,8 @@ module Fastify {
     ResponseSendArgument() {
       this = rh.getAResponseSource().ref().getAMethodCall("send").getArgument(0)
       or
-      this = rh.(DataFlow::FunctionNode).getAReturn()
+      this = rh.(DataFlow::FunctionNode).getAReturn() and
+      not exists(AddHookRouteSetup hookSetup | rh = hookSetup.getARouteHandler())
     }
 
     override RouteHandler getRouteHandler() { result = rh }