Mobb User Docs
Start NowBlogsWatch NowContact Us
  • What is Mobb?
  • What's New with Mobb
  • Supported Fixes
  • Getting Started
    • System Requirements
    • Onboarding Guide
      • Registering a Mobb account
      • Try Mobb now!
      • Running Mobb against your own code
      • Automate Mobb in a CI/CD pipeline
    • Working with the Fix Report
    • Mobb CLI Overview
      • Analyze Mode
      • Scan Mode
      • Add SCM Token Mode
      • Review Mode
      • Common Deployment Scenarios
  • Mobb Dashboard
  • Integrating SAST Findings
    • Checkmarx
      • Generating Checkmarx One JSON Report from CLI
    • Snyk
    • SonarQube
      • Generating a SonarQube SAST Report
    • Fortify
    • CodeQL
    • Semgrep/Opengrep
      • Generating a Semgrep SAST Report
      • Generating an Opengrep SAST Report
  • CI/CD Integrations
    • GitHub Actions
      • GitHub Fixer for CxOne
      • GitHub Fixer for Opengrep
    • GitLab Pipeline
    • Azure DevOps
    • Jenkins
    • CircleCI
    • Bamboo
    • Bitbucket Pipeline
  • Administration
    • User Management
    • Project Settings
    • Access Tokens
    • Organization-Level Fix Policy
    • Integrations Page
    • SAML Single Sign-On Flow
  • More Info
    • Mobb Broker
      • Mobb Broker Token Rotation
      • Secure storage of Mobb broker in AWS Secrets Manager
    • Providing Fix Feedback
    • Frequently Asked Questions (FAQ)
    • Data Protection and Retention
    • Service Level Agreement
  • Fixing Guides
    • SQL Injection
    • Path Traversal
    • Log Forging
    • XSS
    • XXE
    • Server Side Request Forgery
    • HttpOnly Cookie Vulnerabilities
    • Hardcoded Domain in HTML
    • Hardcoded Secrets
    • HTTP Response Splitting Attacks
    • Insecure Cookie Vulnerabilities
    • Insecure Randomness
    • Missing Check against Null
    • Missing Rate Limiting
    • Regex Missing Timeout
    • System Information Leakage
  • Mobb REST API Guide
Powered by GitBook
On this page
  • What is Missing Check against Null and How Does it Work?
  • One Simple Missing Check against Null Example
  • Null Check Prevention Methods: How to Fix Your Code
  • Code Samples
  • Need more help in preventing Missing Check against Null?
  • We'd love your feedback!

Was this helpful?

  1. Fixing Guides

Missing Check against Null

Learn how to prevent null pointer exceptions with real code examples and best practices. Protect your application from crashes and unexpected behavior.

Tools recognizing this:

Opengrep Fortify Checkmarx SonarQube Snyk Semgrep CodeQL

What is Missing Check against Null and How Does it Work?

Missing Check against Null is a common programming vulnerability that occurs when code fails to verify if an object reference is null before using it. This can lead to null pointer exceptions (NPEs) at runtime, causing application crashes and potential security vulnerabilities.

The absence of null checks can result in:

  • Application crashes and unexpected termination

  • System instability and poor user experience

  • Potential security vulnerabilities through error messages

  • Resource leaks and memory issues

This guide covers Missing Check against Null issues, examples, prevention methods, and how to properly handle null references using real-world techniques.

One Simple Missing Check against Null Example

Consider this classic example of accessing an object without null checking:

User user = getUserFromDatabase();
String username = user.getUsername();  // Could throw NullPointerException if user is null

If getUserFromDatabase() returns null, this code will throw a NullPointerException when trying to access getUsername().

The safer version would be:

User user = getUserFromDatabase(); String username = user != null ? user.getUsername() : "default";

This ensures the code handles the null case gracefully instead of throwing an exception.

Null Check Prevention Methods: How to Fix Your Code

The most efficient way to fix Missing Check against Null issues is by using proper null checking mechanisms and modern language features designed for null safety.

These include using the Optional pattern, null-safe operators, Objects.requireNonNull(), and explicit null checks where appropriate.

Code Samples

Vulnerable Code

public void processUser(User user) {
    String name = ;
    System.out.println("Processing user: " + name);
}

Fixed Code

public void processUser(User user) {
    Objects.requireNonNull(user, "User cannot be null");
    String name = user.getName();
    System.out.println("Processing user: " + name);
}

Fix Explanation

The vulnerable code assumes user is never null.The fix uses Objects.requireNonNull() to validate the parameter.This provides a clear error message if null is passed.The check happens early, preventing deeper issues in the method.

Vulnerable Code

function processUser(user) {
    const name = user.name;
    console.log(`Processing user: ${name}`);
}

Fixed Code

function processUser(user) {
    if (!user) {
        throw new Error('User cannot be null');
    }
    const name = user.name ?? 'Unknown';
    console.log(`Processing user: ${name}`);
}

Fix Explanation

The vulnerable code doesn't check if user exists.The fix adds an explicit null check at the start.Uses the nullish coalescing operator (??) for safe property access.Provides a clear error message when null is passed.

Vulnerable Code

def process_user(user):
    name = user.name
    print(f"Processing user: {name}")

Fixed Code

def process_user(user):
    if user is None:
        raise ValueError("User cannot be None")
    name = getattr(user, 'name', 'Unknown')
    print(f"Processing user: {name}")

Fix Explanation

The vulnerable code assumes user is never None.The fix adds an explicit None check.Uses getattr() with a default value for safe attribute access.Raises a descriptive ValueError if None is passed.

Vulnerable Code

public void ProcessUser(User user)
{
    string name = user.Name;
    Console.WriteLine($"Processing user: {name}");
}

Fixed Code

public void ProcessUser(User user)
{
    ArgumentNullException.ThrowIfNull(user);
    string name = user.Name ?? "Unknown";
    Console.WriteLine($"Processing user: {name}");
}

Fix Explanation

The vulnerable code doesn't validate the user parameter.The fix uses ArgumentNullException.ThrowIfNull for parameter validation.Uses the null-coalescing operator (??) for safe property access.Follows C# best practices for null checking.

Vulnerable Code

function processUser($user) {
    $name = $user->name;
    echo "Processing user: " . $name;
}

Fixed Code

function processUser(?User $user) {
    if ($user === null) {
        throw new InvalidArgumentException('User cannot be null');
    }
    $name = $user->name ?? 'Unknown';
    echo "Processing user: " . $name;
}

Fix Explanation

The vulnerable code assumes $user is never null.The fix adds type hinting with nullable operator (?).Includes explicit null check with clear error message.Uses the null coalescing operator (??) for safe property access.

Vulnerable Code

void processUser(User* user) {
    string name = user->getName();
    cout << "Processing user: " << name << endl;
}

Fixed Code

void processUser(User* user) {
    if (user == nullptr) {
        throw invalid_argument("User cannot be null");
    }
    string name = user->getName();
    cout << "Processing user: " << name << endl;
}

Fix Explanation

The vulnerable code doesn't check for null pointer.The fix adds explicit nullptr check.Throws an exception with clear error message if null.Prevents undefined behavior from dereferencing null pointer.

Need more help in preventing Missing Check against Null?

We'd love your feedback!

We're excited to hear your thoughts and ideas about fixing vulnerabilities.

PreviousInsecure RandomnessNextMissing Rate Limiting

Last updated 2 months ago

Was this helpful?

supports fixing many forms of Missing Check against Null vulnerabilities, and can mitigate your issues in batch.

Start now for free at

or if you have any corrections, questions or suggestions. Start now for free at https://app.mobb.ai

Mobb
app.mobb.ai
Book a meeting
Contact us