Null Pointer Dereference in Chi with Mutual Tls

In the Go ecosystem, chi is a popular mux router, and enabling mutual TLS (mTLS) means the server requires and validates client certificates. When mTLS is enforced, the server performs strict verification of the peer certificate chain, common names, and extended key usage. If any of these checks fail, the connection is rejected before reaching application handlers. However, a null pointer dereference can still arise when application code assumes a value extracted from the TLS context or from the request is non-nil after the TLS handshake succeeds.

Consider a handler that retrieves a value from the TLS state or from a request-scoped context set during mTLS verification and then dereferences it without checking for nil. For example, after validating a client certificate, you might store a principal or a parsed subject into the request context. If the extraction logic has a conditional that fails to populate the value under certain valid mTLS configurations (e.g., missing SAN or an unexpected certificate extension), the stored interface holds nil. Later, a handler that uses this value without a guard will panic with a runtime error like panic: runtime error: invalid memory address or nil pointer dereference. This is a null pointer dereference in chi that is exposed specifically because mTLS changes what data is considered present and trusted.

Another scenario involves optional client certificates where mTLS is configured but not required. In such setups, the peer certificate may be nil for unauthenticated requests. If application logic proceeds as though a certificate is present and dereferences fields such as RawSubjectPublicKeyInfo or parsed extensions, a panic occurs. This pattern is a null pointer dereference chi can surface when developers incorrectly assume mutual tls enforcement guarantees a non-nil certificate in all requests.

These issues map onto the broader OWASP API Top 10 category of Security Misconfiguration and Runtime Errors. Even though mTLS strengthens authentication, it does not prevent programming mistakes in handling optional or conditional values derived from the TLS context. The scanner checks for such risky patterns by correlating authentication findings with code paths that may lead to null pointer dereference chi scenarios, emphasizing the need to validate presence before use.

To eliminate null pointer dereference risks in chi when using mutual tls, always check for nil before dereferencing values derived from TLS state or context. Below are concrete, idiomatic remediation examples using chi and standard library TLS handling.

First, ensure your TLS configuration requests but does not require client certificates unless intended, and handle the nil case explicitly:

tlsConfig := &tls.Config{
    ClientAuth: tls.RequestClientCert,
    ClientCAs:  clientCertPool,
}
// In a handler, safely retrieve peer certificates
cert := req.TLS.PeerCertificates
if cert == nil || len(cert) == 0 {
    http.Error(w, "missing client certificate", http.StatusUnauthorized)
    return
}
// Safe to use cert[0] here
subject := cert[0].Subject.String()

If you require mTLS and want to enforce it at the handler level after chi routing, use a middleware that validates the certificate presence before proceeding:

func RequireClientCert(next http.Handler) http.Handler {
    return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
        if req.TLS == nil {
            http.Error(w, "TLS not available", http.StatusInternalServerError)
            return
        }
        certs := req.TLS.PeerCertificates
        if certs == nil || len(certs) == 0 {
            http.Error(w, "client certificate required", http.StatusUnauthorized)
            return
        }
        // Optionally verify extended key usage or SAN here
        next.ServeHTTP(w, req)
    })
}

r := chi.NewRouter()
r.Use(RequireClientCert)
r.Get("/secure", func(w http.ResponseWriter, req *http.Request) {
    // Safe to access certs here
    cert := req.TLS.PeerCertificates[0]
    w.Write([]byte("Authenticated: " + cert.Subject.String()))
})

When storing values from the TLS context into chi request context, use a typed helper that ensures non-nil values or returns an error:

func SetPrincipalFromCert(ctx context.Context, certs []*x509.Certificate) (context.Context, error) {
    if certs == nil || len(cert) == 0 {
        return ctx, errors.New("no certificates available")
    }
    principal := &Principal{
        Subject: certs[0].Subject.String(),
    }
    return context.WithValue(ctx, &principalKey{}, principal), nil
}

// Later in a handler
principal, ok := chi.URLParam(req, "principal")
if !ok {
    http.Error(w, "principal not found", http.StatusBadRequest)
    return
}
// Use principal with nil checks
if principal.Subject == "" {
    http.Error(w, "invalid principal", http.StatusBadRequest)
    return
}

These practices align with findings from scans that correlate authentication checks with chi routes, helping you address null pointer dereference chi patterns. The CLI tool can be used to scan from terminal with middlebrick scan <url>, while the GitHub Action can add API security checks to your CI/CD pipeline to catch such issues before deployment.