# NULL Pointer Dereference (CWE-476)

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL.

- Prevalence: Moyenne 2 langages couverts
- Impact: Moyen Revue recommandée
- Prevention: Documentée 2 exemples de correctifs

**OWASP:** Insecure Design (A04:2021-Insecure Design) - #4

## Description

NULL pointer dereferences typically cause the application to crash. In some cases, they may be exploitable for denial of service or potentially for code execution.

## Prevention

### Go

Use the two-value form of type assertion or type switch to handle failures gracefully

### JavaScript

Replace non-null assertions (!) with explicit null checks or optional chaining

## Warning Signs

- [LOW] Non-null assertion (!), used on '...' without explicit null/undefined check. This may cause runtime crashes if the value

## Consequences

- DoS : crash / sortie / redémarrage

## Mitigations

- Vérifiez les pointeurs avant de les déréférencer
- Utilisez les fonctionnalités du langage qui empêchent les problèmes de pointeurs nuls
- Mettez en place une gestion d'erreurs appropriée pour les retours nuls

## Detection

- Total rules: 2
- Languages: go, typescript

## Rules by Language

### Go (1 rules)

- **Unsafe Type Assertion Without Ok Check** [MEDIUM]: Type assertion without two-value form can panic at runtime.
  - Remediation: Use the two-value form of type assertion to handle failures gracefully.

```go
result, ok := data.(map[string]interface{})
if !ok {
    return errors.New("invalid data type")
}
```

Learn more: https://shoulder.dev/learn/go/cwe-476/unsafe-type-assertion

### Typescript (1 rules)

- **Non-Null Assertion Without Null Check** [LOW]: The non-null assertion operator (!) bypasses null/undefined checks at compile time
without runtime safety, causing crashes when values are unexpectedly null.
  - Remediation: Use explicit null checks or optional chaining instead of non-null assertions.

```typescript
function getUserEmail(userId: string) {
  const user = users.find(u => u.id === userId);
  if (!user) {
    throw new Error('User not found');
  }
  return user.email;
}
```

Learn more: https://shoulder.dev/learn/typescript/cwe-476/non-null-assertion