Skip to content

🐛 Fix nil pointer dereferences in Azure provider#6945

Closed
tas50 wants to merge 2 commits intomainfrom
fix/azure-nil-pointer-crashes
Closed

🐛 Fix nil pointer dereferences in Azure provider#6945
tas50 wants to merge 2 commits intomainfrom
fix/azure-nil-pointer-crashes

Conversation

@tas50
Copy link
Copy Markdown
Member

@tas50 tas50 commented Mar 16, 2026

Summary

  • Add nil checks for Azure SDK pointer-typed Properties fields across 8 resource files to prevent panics when API responses contain nil values
  • Guards added for nested pointer chains like entry.Properties.PowerState.Code, vng.Properties.BgpSettings.BgpPeeringAddresses, flowLog.Properties.RetentionPolicy, etc.
  • Fixes crash points in: advisor, AKS, cloud defender, compute, IAM, monitor, network (flow logs, VPN gateways, firewalls), and SQL resources

Test plan

  • go build ./... passes in providers/azure/ (verified locally)
  • go vet ./... passes in providers/azure/ (verified locally)
  • Run mql shell azure and query affected resources: azure.subscription.advisor.recommendations, azure.subscription.aksService.clusters, azure.subscription.cloudDefender.monitoringAgentAutoProvision, azure.subscription.networkService.virtualNetworkGateways, azure.subscription.networkService.watchers { flowLogs }, azure.subscription.sqlService.databases
  • Verify no regressions in existing Azure provider tests

🤖 Generated with Claude Code

@tas50 @claude
🐛 Fix nil pointer dereferences in Azure provider
feb11ae 
Add nil checks for Azure SDK pointer-typed Properties fields across
multiple resources to prevent panics when API responses contain nil
values.

Files fixed:
- advisor.go: guard r.Properties before accessing recommendations
- aks.go: guard entry.Properties.PowerState, use convert.ToValue for entry.ID
- cloud_defender.go: guard setting.Properties and containersPricing.Properties
- compute.go: guard networkInterface.Properties, config.Properties, ip.ID
- iam.go: guard roleDef.Properties and roleDef.ID
- monitor.go: guard entry.Properties.Actions and .Condition
- network.go: guard flowLog.Properties, vng.Properties.BgpSettings,
  vng.Properties.SKU, ipc.Properties, fw.Properties, ipConfig.Properties
- sql.go: guard entry.Properties, entry.SKU, vaSettings.Properties,
  vaSettings.Properties.RecurringScans

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
mondoo-code-review[bot]
mondoo-code-review bot previously requested changes Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Azure provider will still crash on nil Properties in firewall resources despite partial fix.

Additional findings (file/line not in diff):

  • 🔴 providers/azure/resources/network.go:2279Nil pointer dereference not fixed here. fw.Properties.SKU.Tier, fw.Properties.SKU.Name, fw.Properties.ProvisioningState, and fw.Properties.ThreatIntelMode are accessed without checking fw.Properties or fw.Properties.SKU for nil — the same class of bug this PR is fixing elsewhere.

Apply the same pattern used for virtualNetworkGateways (line ~1177):

args := map[string]*llx.RawData{
    // ... safe fields only ...
}
if fw.Properties != nil {
    args["provisioningState"] = llx.StringDataPtr((*string)(fw.Properties.ProvisioningState))
    args["threatIntelMode"] = llx.StringDataPtr((*string)(fw.Properties.ThreatIntelMode))
    if fw.Properties.SKU != nil {
        args["skuTier"] = llx.StringDataPtr((*string)(fw.Properties.SKU.Tier))
        args["skuName"] = llx.StringDataPtr((*string)(fw.Properties.SKU.Name))
    }
}
  • 🔴 providers/azure/resources/network.go:2288 — Two remaining nil dereferences:
  1. Line 2288: fw.Properties.ManagementIPConfiguration is accessed without first checking fw.Properties != nil.
  2. Line 2299: ipConfig.Properties.PrivateIPAddress is accessed without checking ipConfig.Properties != nil — the exact bug fixed for the IP configs loop above (line 2200-2202).

Fix:

if fw.Properties != nil && fw.Properties.ManagementIPConfiguration != nil {
    ipConfig := fw.Properties.ManagementIPConfiguration
    // ...
    var privateIP *llx.RawData = llx.NilData
    if ipConfig.Properties != nil {
        privateIP = llx.StringDataPtr(ipConfig.Properties.PrivateIPAddress)
    }
    // use privateIP in CreateResource
}

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 16, 2026
edited
Loading

Test Results

5 477 tests  ±0   5 473 ✅ ±0   2m 1s ⏱️ -2s
  411 suites ±0       4 💤 ±0 
   31 files   ±0       0 ❌ ±0 

Results for commit 8771e99. ± Comparison against base commit 8384ca1.

♻️ This comment has been updated with latest results.

@tas50 tas50 added the pending-testing Waiting on manual testing label Mar 16, 2026
@tas50 @claude
🐛 Fix remaining nil pointer dereferences in firewall resources
8771e99 
Address review: guard fw.Properties.SKU, fw.Properties.ProvisioningState,
fw.Properties.ThreatIntelMode, fw.Properties.ManagementIPConfiguration,
and ipConfig.Properties.PrivateIPAddress in the management IP config.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mondoo-code-review mondoo-code-review bot dismissed their stale review March 16, 2026 23:33

Superseded by new review

mondoo-code-review[bot]
mondoo-code-review bot approved these changes Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixes nil pointer crashes when Azure API responses have missing Properties fields.

providers/azure/resources/network.go
Comment on lines +2194 to +2218
if fw.Properties != nil {
for _, ipConfig := range fw.Properties.IPConfigurations {
ipProps, err := convert.JsonToDict(ipConfig.Properties)
if err != nil {
return nil, err
}
var privateIP *llx.RawData = llx.NilData
if ipConfig.Properties != nil {
privateIP = llx.StringDataPtr(ipConfig.Properties.PrivateIPAddress)
}
mqlIpConfig, err := CreateResource(runtime, "azure.subscription.networkService.firewall.ipConfig",
map[string]*llx.RawData{
"id": llx.StringDataPtr(ipConfig.ID),
"name": llx.StringDataPtr(ipConfig.Name),
"etag": llx.StringDataPtr(ipConfig.Etag),
"privateIpAddress": privateIP,
"properties": llx.DictData(ipProps),
})
if err != nil {
return nil, err
}
ipConfigs = append(ipConfigs, mqlIpConfig)
}
natRules = append(natRules, mqlNatRule)
}
for _, networkRule := range fw.Properties.NetworkRuleCollections {
props, err := convert.JsonToDict(networkRule.Properties)
if err != nil {
return nil, err
}
mqlNetworkRule, err := CreateResource(runtime, "azure.subscription.networkService.firewall.networkRule",
map[string]*llx.RawData{
"id": llx.StringDataPtr(networkRule.ID),
"name": llx.StringDataPtr(networkRule.Name),
"etag": llx.StringDataPtr(networkRule.Etag),
"properties": llx.DictData(props),
})
if err != nil {
return nil, err
if fw.Properties != nil {
Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review bot Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔵 suggestion — The two separate if fw.Properties != nil blocks (one for IPConfigurations and another for NatRuleCollections/NetworkRuleCollections/ApplicationRuleCollections) could be consolidated into a single block to reduce duplication.

@tas50 tas50 closed this Mar 18, 2026
@github-actions github-actions bot locked and limited conversation to collaborators Mar 18, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@mondoo-code-review mondoo-code-review[bot] mondoo-code-review[bot] approved these changes

Assignees

No one assigned

Labels

pending-testing Waiting on manual testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tas50