From fc12b0bb5e962e84b93b590a23d18c557e80ac2f Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 26 Oct 2020 09:21:01 +0000
Subject: [PATCH 1/3] JS: Do not crash on empty package.json file

---
 .../extractor/src/com/semmle/js/extractor/AutoBuild.java       | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java b/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java
index 8b9438a52ac..5ebe88d3584 100644
--- a/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java
@@ -746,6 +746,9 @@ protected DependencyInstallationResult preparePackagesAndDependencies(Set<Path>
       if (file.getFileName().toString().equals("package.json")) {
         try {
           PackageJson packageJson = new Gson().fromJson(new WholeIO().read(file), PackageJson.class);
+          if (packageJson == null) {
+            continue;
+          }
           file = file.toAbsolutePath();
           if (tryRelativize(sourceRoot, file) == null) {
             continue; // Ignore package.json files outside the source root.

From f6c09725238c12004eeec145a45acca4e6c56302 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 26 Oct 2020 09:21:56 +0000
Subject: [PATCH 2/3] JS: Guard other uses of Gson.fromJson

---
 .../src/com/semmle/js/dependencies/Fetcher.java        | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/javascript/extractor/src/com/semmle/js/dependencies/Fetcher.java b/javascript/extractor/src/com/semmle/js/dependencies/Fetcher.java
index 79fc7c2c65a..fa996f1b34e 100644
--- a/javascript/extractor/src/com/semmle/js/dependencies/Fetcher.java
+++ b/javascript/extractor/src/com/semmle/js/dependencies/Fetcher.java
@@ -19,6 +19,8 @@ import java.util.List;
 import java.util.regex.Pattern;
 
 import com.google.gson.Gson;
+import com.google.gson.JsonParseException;
+
 import com.semmle.js.dependencies.packument.Packument;
 
 import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
@@ -84,7 +86,13 @@ public class Fetcher {
         }
         System.out.println("Fetching package metadata for " + packageName);
         try (Reader reader = new BufferedReader(new InputStreamReader(fetch("https://registry.npmjs.org/" + packageName)))) {
-            return new Gson().fromJson(reader, Packument.class);
+            Packument packument = new Gson().fromJson(reader, Packument.class);
+            if (packument == null) {
+                throw new IOException("Malformed packument for " + packageName);
+            }
+            return packument;
+        } catch (JsonParseException ex) {
+            throw new IOException("Malformed packument for " + packageName, ex);
         }
     }
 

From c353f6109129e58995b18cf0caf2cdfe65952dc3 Mon Sep 17 00:00:00 2001
From: Asger Feldthaus <asgerf@github.com>
Date: Mon, 26 Oct 2020 09:58:37 +0000
Subject: [PATCH 3/3] JS: Add test case

---
 .../ql/test/library-tests/MalformedPackageJson/Test.expected | 4 ++++
 .../ql/test/library-tests/MalformedPackageJson/Test.ql       | 5 +++++
 .../MalformedPackageJson/nullContents/package.json           | 1 +
 javascript/ql/test/library-tests/MalformedPackageJson/tst.js | 2 ++
 4 files changed, 12 insertions(+)
 create mode 100644 javascript/ql/test/library-tests/MalformedPackageJson/Test.expected
 create mode 100644 javascript/ql/test/library-tests/MalformedPackageJson/Test.ql
 create mode 100644 javascript/ql/test/library-tests/MalformedPackageJson/nullContents/package.json
 create mode 100644 javascript/ql/test/library-tests/MalformedPackageJson/tst.js

diff --git a/javascript/ql/test/library-tests/MalformedPackageJson/Test.expected b/javascript/ql/test/library-tests/MalformedPackageJson/Test.expected
new file mode 100644
index 00000000000..6e33d556817
--- /dev/null
+++ b/javascript/ql/test/library-tests/MalformedPackageJson/Test.expected
@@ -0,0 +1,4 @@
+files
+| nullContents/package.json:0:0:0:0 | nullContents/package.json |
+| tst.js:0:0:0:0 | tst.js |
+packageJsons
diff --git a/javascript/ql/test/library-tests/MalformedPackageJson/Test.ql b/javascript/ql/test/library-tests/MalformedPackageJson/Test.ql
new file mode 100644
index 00000000000..3f0d3eb4607
--- /dev/null
+++ b/javascript/ql/test/library-tests/MalformedPackageJson/Test.ql
@@ -0,0 +1,5 @@
+import javascript
+
+query File files() { any() }
+
+query PackageJSON packageJsons() { any() }
diff --git a/javascript/ql/test/library-tests/MalformedPackageJson/nullContents/package.json b/javascript/ql/test/library-tests/MalformedPackageJson/nullContents/package.json
new file mode 100644
index 00000000000..ec747fa47dd
--- /dev/null
+++ b/javascript/ql/test/library-tests/MalformedPackageJson/nullContents/package.json
@@ -0,0 +1 @@
+null
\ No newline at end of file
diff --git a/javascript/ql/test/library-tests/MalformedPackageJson/tst.js b/javascript/ql/test/library-tests/MalformedPackageJson/tst.js
new file mode 100644
index 00000000000..2c3e68a8966
--- /dev/null
+++ b/javascript/ql/test/library-tests/MalformedPackageJson/tst.js
@@ -0,0 +1,2 @@
+// This file is just here to ensure some JS code is extracted
+let x = 'hey';