Null Pointer Dereference in Actix with Bearer Tokens

In Actix-based Rust services, a null pointer dereference can occur when an authorization header containing a Bearer token is expected but not provided, and the code attempts to dereference an Option or Result without handling the None or Err variant. This becomes a security-relevant issue in the context of Bearer tokens because missing or malformed authentication can bypass intended access controls, leading to unauthorized access or a crash that may be weaponized in a denial-of-service scenario.

Consider an Actix handler that extracts a Bearer token using req.headers().get("Authorization"). This call returns an Option. If the handler immediately calls methods like .unwrap() or pattern-matches without covering the None case, a null pointer dereference can happen when the header is absent. Even when the header is present, a malformed value such as Bearer (missing token) or non-ASCII characters can cause parsing to fail, producing None downstream and triggering the same unsafe dereference. Because Bearer tokens are often used to gate sensitive endpoints, this vulnerability can expose functionality that should be protected, undermining authentication and potentially leaking internal logic or data.

Real-world patterns that exacerbate the issue include chaining extractor results without validation and assuming token format correctness. For example, splitting the header value by whitespace and indexing directly into the resulting slice (e.g., parts[1]) without checking length invites out-of-bounds access, which in Rust can manifest as a null or dangling pointer dereference depending on FFI boundaries or unsafe blocks. In the context of API security scanning, such weaknesses map to authentication bypass and crash primitives, relevant to checks such as Authentication and BOLA/IDOR. The scanner may flag endpoints where token handling lacks robust option/result handling, because these endpoints present a larger attack surface for unauthenticated or malformed-token interactions.

To be detected effectively, an API endpoint should be exercised as an unauthenticated target (black-box scanning), because missing or invalid Bearer tokens are common test cases. middleBrick runs 12 security checks in parallel, including Authentication and Input Validation, to surface these patterns. The scanner does not fix the code, but it provides prioritized findings with severity and remediation guidance, enabling developers to address the root cause before deployment.

An illustrative, insecure snippet that demonstrates the risk is shown below. Note the use of .unwrap() and direct indexing, which can lead to null pointer dereference when the Bearer token is absent or malformed:

use actix_web::{web, HttpRequest, HttpResponse, Error};

async fn insecure_handler(req: HttpRequest) -> Result<HttpResponse, Error> {
    // Risk: unwrap() can panic if Authorization header is missing
    let auth = req.headers().get("Authorization").unwrap();
    // Risk: to_str() can fail, producing None; indexing parts[1] can panic
    let token = auth.to_str().unwrap().split_whitespace().collect<Vec<&str>>();
    let bearer = token[1]; // Null pointer dereference if token has no second part
    if bearer == "secret" {
        Ok(HttpResponse::Ok().body("access granted"))
    } else {
        Ok(HttpResponse::Forbidden().body("invalid token"))
    }
}

Remediation focuses on safe handling of optional values and strict validation of Bearer token format before any dereference. Instead of using .unwrap(), use combinators like .ok_or_else() to convert options into proper HTTP errors, and validate the structure of the Authorization header with pattern checks or dedicated extractors. This ensures that missing or malformed tokens result in a 401 Unauthorized response rather than a crash or bypass.

A secure implementation uses actix_web::http::header::HeaderValue utilities and returns an error when the header is absent or malformed. The following code demonstrates a robust approach that avoids null pointer dereference and enforces Bearer token semantics:

use actix_web::{web, HttpRequest, HttpResponse, Error, http::header};
use actix_web::error::ErrorUnauthorized;

async fn secure_handler(req: HttpRequest) -> Result<HttpResponse, Error> {
    // Safe extraction: return 401 if header missing
    let auth_header = req.headers().get(header::AUTHORIZATION)
        .ok_or_else(|| ErrorUnauthorized("Missing Authorization header"))?;
    // Convert to string safely
    let auth_str = auth_header.to_str().map_err(|_| ErrorUnauthorized("Invalid header encoding"))?;
    // Validate Bearer scheme and extract token
    let parts: Vec<&str> = auth_str.split_whitespace().collect();
    if parts.len() != 2 || parts[0] != "Bearer" {
        return Err(ErrorUnauthorized("Invalid Authorization format, expected Bearer token"));
    }
    let token = parts[1];
    // Example validation: reject empty tokens
    if token.is_empty() {
        return Err(ErrorUnauthorized("Token cannot be empty"));
    }
    // Proceed with token validation (e.g., verify against a store)
    if token == "secret" {
        Ok(HttpResponse::Ok().body("access granted"))
    } else {
        Ok(HttpResponse::Forbidden().body("invalid token"))
    }
}

For production use, consider integrating a dedicated extractor or middleware that centralizes Bearer token parsing and validation. This reduces duplication and ensures consistent error handling across endpoints. The extractor can return a structured token type, making it easier to enforce additional constraints such as token format, scope, or expiration. By avoiding unwraps and indexing on unchecked slices, you eliminate the conditions that lead to null pointer dereference while maintaining compatibility with Actix's asynchronous model.

When using the middleBrick CLI to verify your changes, you can run middlebrick scan <url> against your unauthenticated endpoints to confirm that authentication checks are exercised and that the scanner no longer flags the removed vulnerabilities. The dashboard and GitHub Action integrations can help you track improvements over time and fail builds if security scores degrade.