init: add PotentiallyUnguardedProtocolHandler query

ex0dus-0x · ex0dus-0x · commit b5e258233944 · 2025-12-17T10:52:01.000-05:00
diff --git a/java/src/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.qhelp b/java/src/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.qhelp
@@ -0,0 +1,26 @@
+<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
+<qhelp>
+    <overview>
+        <p>
+            URL protocol handlers are used to handle any URL scheme supported by the native desktop.
+            If URL inputs to these handlers are untrusted and not properly sanitized, they can be
+            used to perform unintended actions by another application registered to handle the same
+            protocol.
+        </p>
+    </overview>
+    <recommendation>
+        <p>
+            Review protocol handler sinks and ensure that any URL inputs are properly sanitized if
+            they come from untrusted sources.
+        </p>
+    </recommendation>
+    <references>
+        <li> Positive Security: <a
+                href="https://positive.security/blog/url-open-rce">Allow
+                arbitrary URLs, expect arbitrary code execution</a>
+        </li>
+        <li> CVE-2022-43550: <a href="https://hackerone.com/reports/1692603">Jitsi Desktop Client
+                RCE By Interacting with Malicious URL Schemes on Windows</a>
+        </li>
+    </references>
+</qhelp>
diff --git a/java/src/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.ql b/java/src/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.ql
@@ -0,0 +1,91 @@
+/**
+ * @name Potentially unguarded protocol handler invocation
+ * @id tob/java/unguarded-protocol-handler
+ * @description Detects calls to URL protocol handlers with untrusted input that may not be properly validated for dangerous protocols
+ * @kind path-problem
+ * @tags security
+ *       external/cwe/cwe-939
+ * @precision medium
+ * @problem.severity warning
+ * @security-severity 6.5
+ * @group security
+ */
+
+import java
+import semmle.code.java.dataflow.TaintTracking
+import semmle.code.java.dataflow.FlowSources
+import semmle.code.java.controlflow.Guards
+
+/**
+ * A call to Desktop.browse() method for handling
+ * TODO(alan): also support legacy/generic cases like invoking "rundll32 url.dll,FileProtocolHandler"
+ */
+class DesktopBrowseCall extends MethodCall {
+  DesktopBrowseCall() {
+    this.getMethod().hasName("browse") and
+    this.getMethod().getDeclaringType().hasQualifiedName("java.awt", "Desktop")
+  }
+
+  Expr getUrlArgument() { result = this.getArgument(0) }
+
+  string getDescription() { result = "Desktop.browse()" }
+}
+
+/**
+ * A guard that checks the URL scheme/protocol signifying sanitization before launch
+ */
+predicate isUrlSchemeCheck(Guard g, Expr e, boolean branch) {
+  exists(MethodCall mc |
+    mc = g and
+    e = mc.getQualifier*() and
+    branch = true and
+    (
+      // getScheme() or getProtocol() check
+      mc.getMethod().hasName(["equals", "equalsIgnoreCase", "startsWith", "matches"]) and
+      exists(MethodCall getScheme |
+        getScheme.getParent*() = mc and
+        getScheme.getMethod().hasName(["getScheme", "getProtocol"])
+      )
+      or
+      // URL string contains check like: url.contains("http://") or url.startsWith("https://")
+      mc.getMethod().hasName(["contains", "startsWith", "matches", "indexOf"]) and
+      exists(StringLiteral sl | sl = mc.getAnArgument() | sl.getValue().regexpMatch(".*://.*"))
+      or
+      // Pattern matching on the string representation
+      mc.getMethod().hasName(["matches", "find"]) and
+      mc.getQualifier().getType().(RefType).hasQualifiedName("java.util.regex", "Matcher")
+    )
+  )
+}
+
+/**
+ * Configuration for tracking untrusted data to protocol handler invocations
+ */
+module PotentiallyUnguardedProtocolHandlerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(DesktopBrowseCall call | sink.asExpr() = call.getUrlArgument())
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    // Consider sanitized if there's a guard checking the scheme
+    node = DataFlow::BarrierGuard<isUrlSchemeCheck/3>::getABarrierNode()
+  }
+}
+
+module PotentiallyUnguardedProtocolHandlerFlow =
+  TaintTracking::Global<PotentiallyUnguardedProtocolHandlerConfig>;
+
+import PotentiallyUnguardedProtocolHandlerFlow::PathGraph
+
+from
+  PotentiallyUnguardedProtocolHandlerFlow::PathNode source,
+  PotentiallyUnguardedProtocolHandlerFlow::PathNode sink, DesktopBrowseCall call
+where
+  PotentiallyUnguardedProtocolHandlerFlow::flowPath(source, sink) and
+  sink.getNode().asExpr() = call.getUrlArgument()
+select call, source, sink,
+  call.getDescription() +
+    " is called with untrusted input from $@ without proper URL scheme validation.",
+  source.getNode(), "this source"
diff --git a/java/test/query-tests/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.expected b/java/test/query-tests/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.expected
@@ -0,0 +1,26 @@
+edges
+| PotentiallyUnguardedProtocolHandler.java:10:22:10:48 | getParameter(...) : String | PotentiallyUnguardedProtocolHandler.java:11:45:11:47 | url : String | provenance | Src:MaD:46190  |
+| PotentiallyUnguardedProtocolHandler.java:11:45:11:47 | url : String | PotentiallyUnguardedProtocolHandler.java:11:37:11:48 | new URI(...) | provenance | MaD:44428 Sink:MaD:43969 |
+| PotentiallyUnguardedProtocolHandler.java:20:22:20:48 | getParameter(...) : String | PotentiallyUnguardedProtocolHandler.java:21:27:21:29 | url : String | provenance | Src:MaD:46190  |
+| PotentiallyUnguardedProtocolHandler.java:21:19:21:30 | new URI(...) : URI | PotentiallyUnguardedProtocolHandler.java:23:41:23:43 | uri | provenance | Sink:MaD:43969 |
+| PotentiallyUnguardedProtocolHandler.java:21:27:21:29 | url : String | PotentiallyUnguardedProtocolHandler.java:21:19:21:30 | new URI(...) : URI | provenance | MaD:44428 |
+| PotentiallyUnguardedProtocolHandler.java:34:22:34:48 | getParameter(...) : String | PotentiallyUnguardedProtocolHandler.java:35:27:35:29 | url : String | provenance | Src:MaD:46190  |
+| PotentiallyUnguardedProtocolHandler.java:35:19:35:30 | new URI(...) : URI | PotentiallyUnguardedProtocolHandler.java:39:41:39:43 | uri | provenance | Sink:MaD:43969 |
+| PotentiallyUnguardedProtocolHandler.java:35:27:35:29 | url : String | PotentiallyUnguardedProtocolHandler.java:35:19:35:30 | new URI(...) : URI | provenance | MaD:44428 |
+nodes
+| PotentiallyUnguardedProtocolHandler.java:10:22:10:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| PotentiallyUnguardedProtocolHandler.java:11:37:11:48 | new URI(...) | semmle.label | new URI(...) |
+| PotentiallyUnguardedProtocolHandler.java:11:45:11:47 | url : String | semmle.label | url : String |
+| PotentiallyUnguardedProtocolHandler.java:20:22:20:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| PotentiallyUnguardedProtocolHandler.java:21:19:21:30 | new URI(...) : URI | semmle.label | new URI(...) : URI |
+| PotentiallyUnguardedProtocolHandler.java:21:27:21:29 | url : String | semmle.label | url : String |
+| PotentiallyUnguardedProtocolHandler.java:23:41:23:43 | uri | semmle.label | uri |
+| PotentiallyUnguardedProtocolHandler.java:34:22:34:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| PotentiallyUnguardedProtocolHandler.java:35:19:35:30 | new URI(...) : URI | semmle.label | new URI(...) : URI |
+| PotentiallyUnguardedProtocolHandler.java:35:27:35:29 | url : String | semmle.label | url : String |
+| PotentiallyUnguardedProtocolHandler.java:39:41:39:43 | uri | semmle.label | uri |
+subpaths
+#select
+| PotentiallyUnguardedProtocolHandler.java:11:9:11:49 | browse(...) | PotentiallyUnguardedProtocolHandler.java:10:22:10:48 | getParameter(...) : String | PotentiallyUnguardedProtocolHandler.java:11:37:11:48 | new URI(...) | Desktop.browse() is called with untrusted input from $@ without proper URL scheme validation. | PotentiallyUnguardedProtocolHandler.java:10:22:10:48 | getParameter(...) | this source |
+| PotentiallyUnguardedProtocolHandler.java:23:13:23:44 | browse(...) | PotentiallyUnguardedProtocolHandler.java:20:22:20:48 | getParameter(...) : String | PotentiallyUnguardedProtocolHandler.java:23:41:23:43 | uri | Desktop.browse() is called with untrusted input from $@ without proper URL scheme validation. | PotentiallyUnguardedProtocolHandler.java:20:22:20:48 | getParameter(...) | this source |
+| PotentiallyUnguardedProtocolHandler.java:39:13:39:44 | browse(...) | PotentiallyUnguardedProtocolHandler.java:34:22:34:48 | getParameter(...) : String | PotentiallyUnguardedProtocolHandler.java:39:41:39:43 | uri | Desktop.browse() is called with untrusted input from $@ without proper URL scheme validation. | PotentiallyUnguardedProtocolHandler.java:34:22:34:48 | getParameter(...) | this source |
diff --git a/java/test/query-tests/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.java b/java/test/query-tests/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.java
@@ -0,0 +1,56 @@
+import java.awt.Desktop;
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import javax.servlet.http.HttpServletRequest;
+
+public class PotentiallyUnguardedProtocolHandler {
+
+    public void bad1(HttpServletRequest request) throws IOException, URISyntaxException {
+        String url = request.getParameter("url");
+        Desktop.getDesktop().browse(new URI(url));
+    }
+
+    public void bad2(String userInput) throws IOException, URISyntaxException {
+        URI uri = new URI(userInput);
+        Desktop.getDesktop().browse(uri);
+    }
+
+    public void safe1(HttpServletRequest request) throws IOException, URISyntaxException {
+        String url = request.getParameter("url");
+        URI uri = new URI(url);
+        if (uri.getScheme().equals("https") || uri.getScheme().equals("http")) {
+            Desktop.getDesktop().browse(uri);
+        }
+    }
+
+    public void safe2(String userInput) throws IOException, URISyntaxException {
+        if (userInput.startsWith("https://") || userInput.startsWith("http://")) {
+            Desktop.getDesktop().browse(new URI(userInput));
+        }
+    }
+
+    public void bad3(HttpServletRequest request) throws IOException, URISyntaxException {
+        String url = request.getParameter("url");
+        URI uri = new URI(url);
+
+        // Weak check - only checks if scheme exists, not what it is
+        if (uri.getScheme() != null) {
+            Desktop.getDesktop().browse(uri);
+        }
+    }
+
+    public void safe3(String userInput) throws IOException, URISyntaxException {
+        URI uri = new URI(userInput);
+        String scheme = uri.getScheme();
+
+        if (scheme != null && (scheme.equalsIgnoreCase("http") || scheme.equalsIgnoreCase("https"))) {
+            Desktop.getDesktop().browse(uri);
+        }
+    }
+
+    public void safe4() throws IOException, URISyntaxException {
+        // hardcoded, no untrusted input
+        Desktop.getDesktop().browse(new URI("https://example.com"));
+    }
+}
diff --git a/java/test/query-tests/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.qlref b/java/test/query-tests/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.qlref
@@ -0,0 +1 @@
+security/PotentiallyUnguardedProtocolhandler/PotentiallyUnguardedProtocolhandler.ql

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+security/PotentiallyUnguardedProtocolhandler/PotentiallyUnguardedProtocolhandler.ql`