Add docs and fix CI/CD issue

Author: ex0dus-0x

README.md

@@ -48,6 +48,7 @@ codeql database analyze database.db --format=sarif-latest --output=./tob.sarif -
 |[Async unsafe signal handler](./cpp/src/docs/security/AsyncUnsafeSignalHandler/AsyncUnsafeSignalHandler.md)|Async unsafe signal handler (like the one used in CVE-2024-6387)|warning|high|
 |[Invalid string size passed to string manipulation function](./cpp/src/docs/security/CStrnFinder/CStrnFinder.md)|Finds calls to functions that take as input a string and its size as separate arguments (e.g., `strncmp`, `strncat`, ...) and the size argument is wrong|error|low|
 |[Missing null terminator](./cpp/src/docs/security/NoNullTerminator/NoNullTerminator.md)|This query finds incorrectly initialized strings that are passed to functions expecting null-byte-terminated strings|error|high|
+|[Potentially unguarded protocol handler invocation](./cpp/src/docs/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.md)|Detects calls to URL protocol handlers with untrusted input that may not be properly validated for dangerous protocols|warning|medium|
 |[Unsafe implicit integer conversion](./cpp/src/docs/security/UnsafeImplicitConversions/UnsafeImplicitConversions.md)|Finds implicit integer casts that may overflow or be truncated, with false positive reduction via Value Range Analysis|warning|low|
 
 ### Go
@@ -72,6 +73,7 @@ codeql database analyze database.db --format=sarif-latest --output=./tob.sarif -
 
 | Name | Description | Severity | Precision  |
 | ---  | ----------- | :----:   | :--------: |
+|[Potentially unguarded protocol handler invocation](./java/src/docs/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.md)|Detects calls to URL protocol handlers with untrusted input that may not be properly validated for dangerous protocols|warning|medium|
 |[Recursive functions](./java-kotlin/src/docs/security/Recursion/Recursion.md)|Detects recursive calls|warning|low|
 
 ## Query suites

cpp/src/docs/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.md

@@ -0,0 +1,87 @@
+# Potentially unguarded protocol handler invocation
+
+This query detects calls to URL protocol handlers with untrusted input that may not be properly validated for dangerous protocols. This vulnerability is related to CWE-939 (Improper Authorization in Handler for Custom URL Scheme) and aligns with CVE-2022-43550.
+
+When applications invoke protocol handlers (like `rundll32 url.dll,FileProtocolHandler` on Windows, `xdg-open` on Linux, `open` on macOS, or Qt's `QDesktopServices::openUrl()`), untrusted URLs can potentially trigger dangerous protocols such as `file://`, `smb://`, or other custom handlers that may lead to unauthorized file access, command execution, or other security issues.
+
+## Detected patterns
+
+The query identifies several common protocol handler invocation patterns:
+
+- **Windows**: `rundll32 url.dll,FileProtocolHandler` via system calls
+- **Linux**: `xdg-open` via system calls
+- **macOS**: `open` command via system calls
+- **Qt applications**: `QDesktopServices::openUrl()`
+
+## Recommendation
+
+Always validate URL schemes before passing them to protocol handlers. Only allow safe protocols like `http://` and `https://`. Reject or sanitize URLs containing potentially dangerous protocols.
+
+## Example
+
+The following vulnerable code passes untrusted input directly to a protocol handler:
+
+```cpp
+#include <QDesktopServices>
+#include <QUrl>
+
+void openUserUrl(const QString& userInput) {
+    // VULNERABLE: No validation of the URL scheme
+    QDesktopServices::openUrl(QUrl(userInput));
+}
+```
+
+An attacker could provide a URL like `file:///etc/passwd` or `smb://attacker-server/share` to access unauthorized resources.
+
+The corrected version validates the URL scheme before opening:
+
+```cpp
+#include <QDesktopServices>
+#include <QUrl>
+
+void openUserUrl(const QString& userInput) {
+    QUrl url(userInput);
+    QString scheme = url.scheme().toLower();
+
+    // Only allow safe protocols
+    if (scheme == "http" || scheme == "https") {
+        QDesktopServices::openUrl(url);
+    } else {
+        // Log error or show warning to user
+        qWarning() << "Rejected unsafe URL scheme:" << scheme;
+    }
+}
+```
+
+For system command invocations:
+
+```cpp
+void openUserUrlViaShell(const char* userInput) {
+    // VULNERABLE: Untrusted input passed to xdg-open
+    char cmd[512];
+    snprintf(cmd, sizeof(cmd), "xdg-open '%s'", userInput);
+    system(cmd);
+}
+```
+
+Should be corrected to validate the scheme:
+
+```cpp
+bool isValidScheme(const char* url) {
+    return (strncasecmp(url, "http://", 7) == 0 ||
+            strncasecmp(url, "https://", 8) == 0);
+}
+
+void openUserUrlViaShell(const char* userInput) {
+    if (isValidScheme(userInput)) {
+        char cmd[512];
+        snprintf(cmd, sizeof(cmd), "xdg-open '%s'", userInput);
+        system(cmd);
+    }
+}
+```
+
+## References
+
+- [CWE-939: Improper Authorization in Handler for Custom URL Scheme](https://cwe.mitre.org/data/definitions/939.html)
+- [CVE-2022-43550: USB Creator has insufficiently protected credentials](https://ubuntu.com/security/CVE-2022-43550)

java/src/docs/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.md

@@ -0,0 +1,99 @@
+# Potentially unguarded protocol handler invocation
+
+This query detects calls to URL protocol handlers with untrusted input that may not be properly validated for dangerous protocols. This vulnerability is related to CWE-939 (Improper Authorization in Handler for Custom URL Scheme) and aligns with CVE-2022-43550.
+
+When Java applications invoke protocol handlers (like `Desktop.browse()`, `Runtime.exec()` with `xdg-open`/`open`, or `rundll32 url.dll,FileProtocolHandler` on Windows), untrusted URLs can potentially trigger dangerous protocols such as `file://`, `smb://`, or other custom handlers that may lead to unauthorized file access, command execution, or other security issues.
+
+## Detected patterns
+
+The query identifies several common protocol handler invocation patterns:
+
+- **Java AWT**: `Desktop.browse(URI)` - the platform-agnostic standard
+- **Windows**: `Runtime.exec()` with `rundll32 url.dll,FileProtocolHandler`
+- **Linux**: `Runtime.exec()` with `xdg-open`
+- **macOS**: `Runtime.exec()` with `open` command
+
+## Recommendation
+
+Always validate URL schemes before passing them to protocol handlers. Only allow safe protocols like `http://` and `https://`. Reject or sanitize URLs containing potentially dangerous protocols.
+
+## Example
+
+The following vulnerable code passes untrusted input directly to a protocol handler:
+
+```java
+import java.awt.Desktop;
+import java.net.URI;
+
+public class UrlOpener {
+    public void openUserUrl(String userInput) throws Exception {
+        // VULNERABLE: No validation of the URL scheme
+        Desktop.getDesktop().browse(new URI(userInput));
+    }
+}
+```
+
+An attacker could provide a URL like `file:///etc/passwd` or `smb://attacker-server/share` to access unauthorized resources.
+
+The corrected version validates the URL scheme before opening:
+
+```java
+import java.awt.Desktop;
+import java.net.URI;
+
+public class UrlOpener {
+    public void openUserUrl(String userInput) throws Exception {
+        URI uri = new URI(userInput);
+        String scheme = uri.getScheme();
+
+        // Only allow safe protocols
+        if ("http".equalsIgnoreCase(scheme) || "https".equalsIgnoreCase(scheme)) {
+            Desktop.getDesktop().browse(uri);
+        } else {
+            throw new SecurityException("Rejected unsafe URL scheme: " + scheme);
+        }
+    }
+}
+```
+
+For system command invocations:
+
+```java
+public class UrlOpener {
+    public void openUserUrlViaShell(String userInput) throws Exception {
+        // VULNERABLE: Untrusted input passed to xdg-open
+        Runtime.getRuntime().exec(new String[]{"xdg-open", userInput});
+    }
+}
+```
+
+Should be corrected to validate the scheme:
+
+```java
+import java.net.URI;
+
+public class UrlOpener {
+    private boolean isValidScheme(String url) {
+        try {
+            URI uri = new URI(url);
+            String scheme = uri.getScheme();
+            return "http".equalsIgnoreCase(scheme) || "https".equalsIgnoreCase(scheme);
+        } catch (Exception e) {
+            return false;
+        }
+    }
+
+    public void openUserUrlViaShell(String userInput) throws Exception {
+        if (isValidScheme(userInput)) {
+            Runtime.getRuntime().exec(new String[]{"xdg-open", userInput});
+        } else {
+            throw new SecurityException("Invalid or unsafe URL scheme");
+        }
+    }
+}
+```
+
+## References
+
+- [CWE-939: Improper Authorization in Handler for Custom URL Scheme](https://cwe.mitre.org/data/definitions/939.html)
+- [CVE-2022-43550: USB Creator has insufficiently protected credentials](https://ubuntu.com/security/CVE-2022-43550)

java/test/query-tests/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.qlref

@@ -1 +1 @@
-security/PotentiallyUnguardedProtocolhandler/PotentiallyUnguardedProtocolhandler.ql
+security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.ql