ModSecurity-nginx icon indicating copy to clipboard operation
ModSecurity-nginx copied to clipboard
verified publisher icon owasp-modsecurity

Possible dereference of Null

Open LM4O322 opened this issue 6 months ago • 2 comments

In result of static analyse of nginx source code (including ngx_http_modsecurity_module) with Svace static analyzer I found error of cathegory "DEREFERENCE OF NULL" (checker finds situations where possible value equal to null can be dereferenced) in ngx_http_modsecurity_module.c

Initialization with possible null returned value here: https://github.com/owasp-modsecurity/ModSecurity-nginx/blob/fd28e6ae3bc9e3e33e5ab177afce5c24af41a6ed/src/ngx_http_modsecurity_module.c#L202

And dereference of location->key field here: https://github.com/owasp-modsecurity/ModSecurity-nginx/blob/fd28e6ae3bc9e3e33e5ab177afce5c24af41a6ed/src/ngx_http_modsecurity_module.c#L203

Found by Linux Verification Center with SVACE

LM4O322 avatar Jul 08 '25 11:07 LM4O322

I think that a check should be added to the value assigned to the location variable.

LM4O322 avatar Jul 08 '25 11:07 LM4O322

Hi @LM4O322,

could you send a PR to fix this issue?

airween avatar Nov 04 '25 13:11 airween