Merge pull request #2671 from aschackmull/java/null-flow

Java: Allow null literals as sources in data flow.

Author: yo-h

java/ql/src/semmle/code/java/dataflow/internal/DataFlowPrivate.qll

@@ -235,6 +235,8 @@ DataFlowType getErasedRepr(Type t) {
       then result.(BoxedType).getPrimitiveType().getName() = "boolean"
       else result = e
   )
+  or
+  t instanceof NullType and result instanceof TypeObject
 }
 
 /** Gets a string representation of a type returned by `getErasedRepr`. */

java/ql/test/library-tests/dataflow/null/A.java

@@ -0,0 +1,9 @@
+public class A {
+  void sink(Object o) { }
+
+  void foo() {
+    Object src = null;
+    Object x = src;
+    sink(x);
+  }
+}

java/ql/test/library-tests/dataflow/null/testnullflow.expected

@@ -0,0 +1,4 @@
+| A.java:5:18:5:21 | null | A.java:2:13:2:20 | o |
+| A.java:5:18:5:21 | null | A.java:5:18:5:21 | null |
+| A.java:5:18:5:21 | null | A.java:6:16:6:18 | src |
+| A.java:5:18:5:21 | null | A.java:7:10:7:10 | x |

java/ql/test/library-tests/dataflow/null/testnullflow.ql

@@ -0,0 +1,14 @@
+import java
+import semmle.code.java.dataflow.DataFlow
+
+class Conf extends DataFlow::Configuration {
+  Conf() { this = "qqconf" }
+
+  override predicate isSource(DataFlow::Node n) { n.asExpr() instanceof NullLiteral }
+
+  override predicate isSink(DataFlow::Node n) { any() }
+}
+
+from Conf conf, DataFlow::Node src, DataFlow::Node sink
+where conf.hasFlow(src, sink)
+select src, sink