Missing Check against Null

Learn how to prevent null pointer exceptions with real code examples and best practices. Protect your application from crashes and unexpected behavior.

Tools recognizing this:

Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL

What is Missing Check against Null and How Does it Work?

Missing Check against Null is a common programming vulnerability that occurs when code fails to verify if an object reference is null before using it. This can lead to null pointer exceptions (NPEs) at runtime, causing application crashes and potential security vulnerabilities.

The absence of null checks can result in:

Application crashes and unexpected termination
System instability and poor user experience
Potential security vulnerabilities through error messages
Resource leaks and memory issues

This guide covers Missing Check against Null issues, examples, prevention methods, and how to properly handle null references using real-world techniques.

One Simple Missing Check against Null Example

Consider this classic example of accessing an object without null checking:

User user = getUserFromDatabase();
String username = user.getUsername();  // Could throw NullPointerException if user is null

If getUserFromDatabase() returns null, this code will throw a NullPointerException when trying to access getUsername().

The safer version would be:

User user = getUserFromDatabase(); String username = user != null ? user.getUsername() : "default";

This ensures the code handles the null case gracefully instead of throwing an exception.

Null Check Prevention Methods: How to Fix Your Code

The most efficient way to fix Missing Check against Null issues is by using proper null checking mechanisms and modern language features designed for null safety.

These include using the Optional pattern, null-safe operators, Objects.requireNonNull(), and explicit null checks where appropriate.

Code Samples

Vulnerable Code

public void processUser(User user) {
    String name = ;
    System.out.println("Processing user: " + name);
}

Fixed Code

public void processUser(User user) {
    Objects.requireNonNull(user, "User cannot be null");
    String name = user.getName();
    System.out.println("Processing user: " + name);
}

Fix Explanation

The vulnerable code assumes user is never null.The fix uses Objects.requireNonNull() to validate the parameter.This provides a clear error message if null is passed.The check happens early, preventing deeper issues in the method.

Vulnerable Code

function processUser(user) {
    const name = user.name;
    console.log(`Processing user: ${name}`);
}

Fixed Code

function processUser(user) {
    if (!user) {
        throw new Error('User cannot be null');
    }
    const name = user.name ?? 'Unknown';
    console.log(`Processing user: ${name}`);
}

Fix Explanation

The vulnerable code doesn't check if user exists.The fix adds an explicit null check at the start.Uses the nullish coalescing operator (??) for safe property access.Provides a clear error message when null is passed.

Vulnerable Code

def process_user(user):
    name = user.name
    print(f"Processing user: {name}")

Fixed Code

def process_user(user):
    if user is None:
        raise ValueError("User cannot be None")
    name = getattr(user, 'name', 'Unknown')
    print(f"Processing user: {name}")

Fix Explanation

The vulnerable code assumes user is never None.The fix adds an explicit None check.Uses getattr() with a default value for safe attribute access.Raises a descriptive ValueError if None is passed.

Vulnerable Code

public void ProcessUser(User user)
{
    string name = user.Name;
    Console.WriteLine($"Processing user: {name}");
}

Fixed Code

public void ProcessUser(User user)
{
    ArgumentNullException.ThrowIfNull(user);
    string name = user.Name ?? "Unknown";
    Console.WriteLine($"Processing user: {name}");
}

Fix Explanation

The vulnerable code doesn't validate the user parameter.The fix uses ArgumentNullException.ThrowIfNull for parameter validation.Uses the null-coalescing operator (??) for safe property access.Follows C# best practices for null checking.

Vulnerable Code

function processUser($user) {
    $name = $user->name;
    echo "Processing user: " . $name;
}

Fixed Code

function processUser(?User $user) {
    if ($user === null) {
        throw new InvalidArgumentException('User cannot be null');
    }
    $name = $user->name ?? 'Unknown';
    echo "Processing user: " . $name;
}

Fix Explanation

The vulnerable code assumes $user is never null.The fix adds type hinting with nullable operator (?).Includes explicit null check with clear error message.Uses the null coalescing operator (??) for safe property access.

Vulnerable Code

void processUser(User* user) {
    string name = user->getName();
    cout << "Processing user: " << name << endl;
}

Fixed Code

void processUser(User* user) {
    if (user == nullptr) {
        throw invalid_argument("User cannot be null");
    }
    string name = user->getName();
    cout << "Processing user: " << name << endl;
}

Fix Explanation

The vulnerable code doesn't check for null pointer.The fix adds explicit nullptr check.Throws an exception with clear error message if null.Prevents undefined behavior from dereferencing null pointer.

Need more help in preventing Missing Check against Null?

Mobb supports fixing many forms of Missing Check against Null vulnerabilities, and can mitigate your issues in batch.

Start now for free at app.mobb.ai

We'd love your feedback!

We're excited to hear your thoughts and ideas about fixing vulnerabilities.

Book a meeting or Contact us if you have any corrections, questions or suggestions. Start now for free at https://app.mobb.ai

PreviousInsecure Randomness NextMissing Rate Limiting

Last updated 15 hours ago

Was this helpful?