add legacy protocol handler support

ex0dus-0x · ex0dus-0x · commit 9959a3cd4240 · 2025-12-17T13:34:36.000-05:00
diff --git a/java/src/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.ql b/java/src/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.ql
@@ -15,10 +15,11 @@ import java
 import semmle.code.java.dataflow.TaintTracking
 import semmle.code.java.dataflow.FlowSources
 import semmle.code.java.controlflow.Guards
+import semmle.code.java.security.ExternalProcess
 
 /**
- * A call to Desktop.browse() method for handling
- * TODO(alan): also support legacy/generic cases like invoking "rundll32 url.dll,FileProtocolHandler"
+ * A call to Desktop.browse() method. This is the platform-agnostic standard now.
+ * NOTE(alan): the URLRedirect query will likely also trigger due to a little imprecision there
  */
 class DesktopBrowseCall extends MethodCall {
   DesktopBrowseCall() {
@@ -27,8 +28,44 @@ class DesktopBrowseCall extends MethodCall {
   }
 
   Expr getUrlArgument() { result = this.getArgument(0) }
+}
+
+/**
+ * Legacy Windows-specific command execution for protocol handling, based on https://imagej.net/ij/source/ij/plugin/BrowserLauncher.java and
+ * seen in CVE-2022-43550. We match on the Windows shell command, since it more distinct and pervasive.
+ */
+class LegacyWindowsProtocolHandlerCall extends ArgumentToExec {
+  LegacyWindowsProtocolHandlerCall() {
+    // Single string: "rundll32 url.dll,FileProtocolHandler " + url
+    this instanceof StringArgumentToExec and
+    exists(StringLiteral sl |
+      sl.getParent*() = this and
+      sl.getValue().regexpMatch("(?i).*rundll32.*url\\.dll.*FileProtocolHandler.*")
+    )
+    or
+    // Array: {"rundll32", "url.dll,FileProtocolHandler", url}
+    this.getType().(Array).getElementType() instanceof TypeString and
+    exists(ArrayInit init, StringLiteral rundll, StringLiteral urldll |
+      init = this.(ArrayCreationExpr).getInit() and
+      rundll = init.getAnInit() and
+      urldll = init.getAnInit() and
+      rundll.getValue().regexpMatch("(?i)rundll32(\\.exe)?") and
+      urldll.getValue().regexpMatch("(?i)url\\.dll.*FileProtocolHandler")
+    )
+  }
 
-  string getDescription() { result = "Desktop.browse()" }
+  Expr getUrlArgument() {
+    // For single string exec, the URL is tainted into the concatenated string
+    result = this and this instanceof StringArgumentToExec
+    or
+    // For arrays, find elements after "url.dll,FileProtocolHandler"
+    exists(ArrayInit init, int urlIdx, int dllIdx |
+      init = this.(ArrayCreationExpr).getInit() and
+      result = init.getInit(urlIdx) and
+      init.getInit(dllIdx).(StringLiteral).getValue().regexpMatch("(?i)url\\.dll.*FileProtocolHandler") and
+      urlIdx > dllIdx
+    )
+  }
 }
 
 /**
@@ -66,10 +103,11 @@ module PotentiallyUnguardedProtocolHandlerConfig implements DataFlow::ConfigSig
 
   predicate isSink(DataFlow::Node sink) {
     exists(DesktopBrowseCall call | sink.asExpr() = call.getUrlArgument())
+    or
+    exists(LegacyWindowsProtocolHandlerCall call | sink.asExpr() = call.getUrlArgument())
   }
 
   predicate isBarrier(DataFlow::Node node) {
-    // Consider sanitized if there's a guard checking the scheme
     node = DataFlow::BarrierGuard<isUrlSchemeCheck/3>::getABarrierNode()
   }
 }
@@ -81,11 +119,22 @@ import PotentiallyUnguardedProtocolHandlerFlow::PathGraph
 
 from
   PotentiallyUnguardedProtocolHandlerFlow::PathNode source,
-  PotentiallyUnguardedProtocolHandlerFlow::PathNode sink, DesktopBrowseCall call
+  PotentiallyUnguardedProtocolHandlerFlow::PathNode sink, Expr call, string callType
 where
   PotentiallyUnguardedProtocolHandlerFlow::flowPath(source, sink) and
-  sink.getNode().asExpr() = call.getUrlArgument()
+  (
+    exists(DesktopBrowseCall dbc |
+      call = dbc and
+      sink.getNode().asExpr() = dbc.getUrlArgument() and
+      callType = "Desktop.browse()"
+    )
+    or
+    exists(LegacyWindowsProtocolHandlerCall whc |
+      call = whc and
+      sink.getNode().asExpr() = whc.getUrlArgument() and
+      callType = "rundll32 url.dll,FileProtocolHandler"
+    )
+  )
 select call, source, sink,
-  call.getDescription() +
-    " is called with untrusted input from $@ without proper URL scheme validation.",
+  callType + " is called with untrusted input from $@ without proper URL scheme validation.",
   source.getNode(), "this source"
diff --git a/java/test/query-tests/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.expected b/java/test/query-tests/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.expected
@@ -7,6 +7,8 @@ edges
 | PotentiallyUnguardedProtocolHandler.java:34:22:34:48 | getParameter(...) : String | PotentiallyUnguardedProtocolHandler.java:35:27:35:29 | url : String | provenance | Src:MaD:46190  |
 | PotentiallyUnguardedProtocolHandler.java:35:19:35:30 | new URI(...) : URI | PotentiallyUnguardedProtocolHandler.java:39:41:39:43 | uri | provenance | Sink:MaD:43969 |
 | PotentiallyUnguardedProtocolHandler.java:35:27:35:29 | url : String | PotentiallyUnguardedProtocolHandler.java:35:19:35:30 | new URI(...) : URI | provenance | MaD:44428 |
+| PotentiallyUnguardedProtocolHandler.java:59:22:59:48 | getParameter(...) : String | PotentiallyUnguardedProtocolHandler.java:61:35:61:79 | ... + ... | provenance | Src:MaD:46190 Sink:MaD:44131 |
+| PotentiallyUnguardedProtocolHandler.java:78:22:78:48 | getParameter(...) : String | PotentiallyUnguardedProtocolHandler.java:83:39:83:83 | ... + ... | provenance | Src:MaD:46190 Sink:MaD:44131 |
 nodes
 | PotentiallyUnguardedProtocolHandler.java:10:22:10:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
 | PotentiallyUnguardedProtocolHandler.java:11:37:11:48 | new URI(...) | semmle.label | new URI(...) |
@@ -19,8 +21,14 @@ nodes
 | PotentiallyUnguardedProtocolHandler.java:35:19:35:30 | new URI(...) : URI | semmle.label | new URI(...) : URI |
 | PotentiallyUnguardedProtocolHandler.java:35:27:35:29 | url : String | semmle.label | url : String |
 | PotentiallyUnguardedProtocolHandler.java:39:41:39:43 | uri | semmle.label | uri |
+| PotentiallyUnguardedProtocolHandler.java:59:22:59:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| PotentiallyUnguardedProtocolHandler.java:61:35:61:79 | ... + ... | semmle.label | ... + ... |
+| PotentiallyUnguardedProtocolHandler.java:78:22:78:48 | getParameter(...) : String | semmle.label | getParameter(...) : String |
+| PotentiallyUnguardedProtocolHandler.java:83:39:83:83 | ... + ... | semmle.label | ... + ... |
 subpaths
 #select
 | PotentiallyUnguardedProtocolHandler.java:11:9:11:49 | browse(...) | PotentiallyUnguardedProtocolHandler.java:10:22:10:48 | getParameter(...) : String | PotentiallyUnguardedProtocolHandler.java:11:37:11:48 | new URI(...) | Desktop.browse() is called with untrusted input from $@ without proper URL scheme validation. | PotentiallyUnguardedProtocolHandler.java:10:22:10:48 | getParameter(...) | this source |
 | PotentiallyUnguardedProtocolHandler.java:23:13:23:44 | browse(...) | PotentiallyUnguardedProtocolHandler.java:20:22:20:48 | getParameter(...) : String | PotentiallyUnguardedProtocolHandler.java:23:41:23:43 | uri | Desktop.browse() is called with untrusted input from $@ without proper URL scheme validation. | PotentiallyUnguardedProtocolHandler.java:20:22:20:48 | getParameter(...) | this source |
 | PotentiallyUnguardedProtocolHandler.java:39:13:39:44 | browse(...) | PotentiallyUnguardedProtocolHandler.java:34:22:34:48 | getParameter(...) : String | PotentiallyUnguardedProtocolHandler.java:39:41:39:43 | uri | Desktop.browse() is called with untrusted input from $@ without proper URL scheme validation. | PotentiallyUnguardedProtocolHandler.java:34:22:34:48 | getParameter(...) | this source |
+| PotentiallyUnguardedProtocolHandler.java:61:35:61:79 | ... + ... | PotentiallyUnguardedProtocolHandler.java:59:22:59:48 | getParameter(...) : String | PotentiallyUnguardedProtocolHandler.java:61:35:61:79 | ... + ... | rundll32 url.dll,FileProtocolHandler is called with untrusted input from $@ without proper URL scheme validation. | PotentiallyUnguardedProtocolHandler.java:59:22:59:48 | getParameter(...) | this source |
+| PotentiallyUnguardedProtocolHandler.java:83:39:83:83 | ... + ... | PotentiallyUnguardedProtocolHandler.java:78:22:78:48 | getParameter(...) : String | PotentiallyUnguardedProtocolHandler.java:83:39:83:83 | ... + ... | rundll32 url.dll,FileProtocolHandler is called with untrusted input from $@ without proper URL scheme validation. | PotentiallyUnguardedProtocolHandler.java:78:22:78:48 | getParameter(...) | this source |
diff --git a/java/test/query-tests/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.java b/java/test/query-tests/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.java
@@ -50,7 +50,45 @@ public void safe3(String userInput) throws IOException, URISyntaxException {
     }
 
     public void safe4() throws IOException, URISyntaxException {
-        // hardcoded, no untrusted input
         Desktop.getDesktop().browse(new URI("https://example.com"));
     }
+
+    // rundll32 test cases
+    public void bad4_rundll32(HttpServletRequest request) throws IOException {
+        String url = request.getParameter("url");
+        // Single string command with concatenation
+        Runtime.getRuntime().exec("rundll32 url.dll,FileProtocolHandler " + url);
+    }
+
+    public void bad5_rundll32(String userInput) throws IOException {
+        // Array-based command
+        String[] cmd = { "rundll32", "url.dll,FileProtocolHandler", userInput };
+        Runtime.getRuntime().exec(cmd);
+    }
+
+    public void bad6_rundll32(HttpServletRequest request) throws IOException {
+        String url = request.getParameter("url");
+        // ProcessBuilder with list
+        ProcessBuilder pb = new ProcessBuilder("rundll32", "url.dll,FileProtocolHandler", url);
+        pb.start();
+    }
+
+    public void safe5_rundll32(HttpServletRequest request) throws IOException, URISyntaxException {
+        String url = request.getParameter("url");
+        URI uri = new URI(url);
+        if (uri.getScheme().equals("https") || uri.getScheme().equals("http")) {
+            Runtime.getRuntime().exec("rundll32 url.dll,FileProtocolHandler " + url);
+        }
+    }
+
+    public void safe6_rundll32(String userInput) throws IOException {
+        if (userInput.startsWith("https://") || userInput.startsWith("http://")) {
+            String[] cmd = { "rundll32", "url.dll,FileProtocolHandler", userInput };
+            Runtime.getRuntime().exec(cmd);
+        }
+    }
+
+    public void safe7_rundll32() throws IOException {
+        Runtime.getRuntime().exec("rundll32 url.dll,FileProtocolHandler https://example.com");
+    }
 }
