From b92203a87f520ad279c7c226d138aaacaa239b98 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Wed, 22 Jan 2020 12:04:42 +0100
Subject: [PATCH] Java: Allow null literals as sources in data flow.

---
 .../java/dataflow/internal/DataFlowPrivate.qll     |  2 ++
 java/ql/test/library-tests/dataflow/null/A.java    |  9 +++++++++
 .../dataflow/null/testnullflow.expected            |  4 ++++
 .../library-tests/dataflow/null/testnullflow.ql    | 14 ++++++++++++++
 4 files changed, 29 insertions(+)
 create mode 100644 java/ql/test/library-tests/dataflow/null/A.java
 create mode 100644 java/ql/test/library-tests/dataflow/null/testnullflow.expected
 create mode 100644 java/ql/test/library-tests/dataflow/null/testnullflow.ql

diff --git a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
index e41256ac0b0..19515e82804 100644
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -235,6 +235,8 @@ DataFlowType getErasedRepr(Type t) {
       then result.(BoxedType).getPrimitiveType().getName() = "boolean"
       else result = e
   )
+  or
+  t instanceof NullType and result instanceof TypeObject
 }
 
 /** Gets a string representation of a type returned by `getErasedRepr`. */
diff --git a/java/ql/test/library-tests/dataflow/null/A.java b/java/ql/test/library-tests/dataflow/null/A.java
new file mode 100644
index 00000000000..252358f7996
--- /dev/null
+++ b/java/ql/test/library-tests/dataflow/null/A.java
@@ -0,0 +1,9 @@
+public class A {
+  void sink(Object o) { }
+
+  void foo() {
+    Object src = null;
+    Object x = src;
+    sink(x);
+  }
+}
diff --git a/java/ql/test/library-tests/dataflow/null/testnullflow.expected b/java/ql/test/library-tests/dataflow/null/testnullflow.expected
new file mode 100644
index 00000000000..532d64e81f8
--- /dev/null
+++ b/java/ql/test/library-tests/dataflow/null/testnullflow.expected
@@ -0,0 +1,4 @@
+| A.java:5:18:5:21 | null | A.java:2:13:2:20 | o |
+| A.java:5:18:5:21 | null | A.java:5:18:5:21 | null |
+| A.java:5:18:5:21 | null | A.java:6:16:6:18 | src |
+| A.java:5:18:5:21 | null | A.java:7:10:7:10 | x |
diff --git a/java/ql/test/library-tests/dataflow/null/testnullflow.ql b/java/ql/test/library-tests/dataflow/null/testnullflow.ql
new file mode 100644
index 00000000000..d0937e9c0f4
--- /dev/null
+++ b/java/ql/test/library-tests/dataflow/null/testnullflow.ql
@@ -0,0 +1,14 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+
+class Conf extends DataFlow::Configuration {
+  Conf() { this = "qqconf" }
+
+  override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof NullLiteral }
+
+  override predicate isSink(DataFlow::Node n) { any() }
+}
+
+from Conf conf, DataFlow::Node src, DataFlow::Node sink
+where conf.hasFlow(src, sink)
+select src, sink