Learn how to prevent null pointer exceptions with real code examples and best practices. Protect your application from crashes and unexpected behavior.
What is Missing Check against Null and How Does it Work?
Missing Check against Null is a common programming vulnerability that occurs when code fails to verify if an object reference is null before using it. This can lead to null pointer exceptions (NPEs) at runtime, causing application crashes and potential security vulnerabilities.
The absence of null checks can result in:
Application crashes and unexpected termination
System instability and poor user experience
Potential security vulnerabilities through error messages
Resource leaks and memory issues
This guide covers Missing Check against Null issues, examples, prevention methods, and how to properly handle null references using real-world techniques.
One Simple Missing Check against Null Example
Consider this classic example of accessing an object without null checking:
User user = getUserFromDatabase();
String username = user.getUsername(); // Could throw NullPointerException if user is null
If getUserFromDatabase() returns null, this code will throw a NullPointerException when trying to access getUsername().
The safer version would be:
User user = getUserFromDatabase();String username = user != null ? user.getUsername() : "default";
This ensures the code handles the null case gracefully instead of throwing an exception.
Null Check Prevention Methods: How to Fix Your Code
The most efficient way to fix Missing Check against Null issues is by using proper null checking mechanisms and modern language features designed for null safety.
These include using the Optional pattern, null-safe operators, Objects.requireNonNull(), and explicit null checks where appropriate.
Code Samples
Vulnerable Code
public void processUser(User user) {
String name = ;
System.out.println("Processing user: " + name);
}
Fixed Code
public void processUser(User user) {
Objects.requireNonNull(user, "User cannot be null");
String name = user.getName();
System.out.println("Processing user: " + name);
}
Fix Explanation
The vulnerable code assumes user is never null.The fix uses Objects.requireNonNull() to validate the parameter.This provides a clear error message if null is passed.The check happens early, preventing deeper issues in the method.
Vulnerable Code
function processUser(user) {
const name = user.name;
console.log(`Processing user: ${name}`);
}
Fixed Code
function processUser(user) {
if (!user) {
throw new Error('User cannot be null');
}
const name = user.name ?? 'Unknown';
console.log(`Processing user: ${name}`);
}
Fix Explanation
The vulnerable code doesn't check if user exists.The fix adds an explicit null check at the start.Uses the nullish coalescing operator (??) for safe property access.Provides a clear error message when null is passed.
Vulnerable Code
def process_user(user):
name = user.name
print(f"Processing user: {name}")
Fixed Code
def process_user(user):
if user is None:
raise ValueError("User cannot be None")
name = getattr(user, 'name', 'Unknown')
print(f"Processing user: {name}")
Fix Explanation
The vulnerable code assumes user is never None.The fix adds an explicit None check.Uses getattr() with a default value for safe attribute access.Raises a descriptive ValueError if None is passed.
Vulnerable Code
public void ProcessUser(User user)
{
string name = user.Name;
Console.WriteLine($"Processing user: {name}");
}
Fixed Code
public void ProcessUser(User user)
{
ArgumentNullException.ThrowIfNull(user);
string name = user.Name ?? "Unknown";
Console.WriteLine($"Processing user: {name}");
}
Fix Explanation
The vulnerable code doesn't validate the user parameter.The fix uses ArgumentNullException.ThrowIfNull for parameter validation.Uses the null-coalescing operator (??) for safe property access.Follows C# best practices for null checking.
function processUser(?User $user) {
if ($user === null) {
throw new InvalidArgumentException('User cannot be null');
}
$name = $user->name ?? 'Unknown';
echo "Processing user: " . $name;
}
Fix Explanation
The vulnerable code assumes $user is never null.The fix adds type hinting with nullable operator (?).Includes explicit null check with clear error message.Uses the null coalescing operator (??) for safe property access.
Vulnerable Code
void processUser(User* user) {
string name = user->getName();
cout << "Processing user: " << name << endl;
}
Fixed Code
void processUser(User* user) {
if (user == nullptr) {
throw invalid_argument("User cannot be null");
}
string name = user->getName();
cout << "Processing user: " << name << endl;
}
Fix Explanation
The vulnerable code doesn't check for null pointer.The fix adds explicit nullptr check.Throws an exception with clear error message if null.Prevents undefined behavior from dereferencing null pointer.
Need more help in preventing Missing Check against Null?
Mobb supports fixing many forms of Missing Check against Null vulnerabilities, and can mitigate your issues in batch.
