Java: Allow null literals as sources in data flow.

2026-04-28 10:15:14 +02:00 · 2020-01-22 12:04:42 +01:00
parent 80997a3323
commit b92203a87f
4 changed files with 29 additions and 0 deletions
--- a/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
+++ b/java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll
@@ -235,6 +235,8 @@ DataFlowType getErasedRepr(Type t) {
      then result.(BoxedType).getPrimitiveType().getName() = "boolean"
      else result = e
  )
+  or
+  t instanceof NullType and result instanceof TypeObject
 }

 /** Gets a string representation of a type returned by `getErasedRepr`. */
--- a/java/ql/test/library-tests/dataflow/null/A.java
+++ b/java/ql/test/library-tests/dataflow/null/A.java
@@ -0,0 +1,9 @@
+public class A {
+  void sink(Object o) { }
+
+  void foo() {
+    Object src = null;
+    Object x = src;
+    sink(x);
+  }
+}
--- a/java/ql/test/library-tests/dataflow/null/testnullflow.expected
+++ b/java/ql/test/library-tests/dataflow/null/testnullflow.expected
@@ -0,0 +1,4 @@
+| A.java:5:18:5:21 | null | A.java:2:13:2:20 | o |
+| A.java:5:18:5:21 | null | A.java:5:18:5:21 | null |
+| A.java:5:18:5:21 | null | A.java:6:16:6:18 | src |
+| A.java:5:18:5:21 | null | A.java:7:10:7:10 | x |
--- a/java/ql/test/library-tests/dataflow/null/testnullflow.ql
+++ b/java/ql/test/library-tests/dataflow/null/testnullflow.ql
@@ -0,0 +1,14 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+
+class Conf extends DataFlow::Configuration {
+  Conf() { this = "qqconf" }
+
+  override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof NullLiteral }
+
+  override predicate isSink(DataFlow::Node n) { any() }
+}
+
+from Conf conf, DataFlow::Node src, DataFlow::Node sink
+where conf.hasFlow(src, sink)
+select src, sink