Fix up tests, and enhance query with better isBarrier

ex0dus-0x · ex0dus-0x · commit e0d42d1e1918 · 2026-04-06T14:00:12.000-04:00
diff --git a/cpp/src/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.ql b/cpp/src/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.ql
@@ -15,110 +15,92 @@ import cpp
 private import semmle.code.cpp.ir.dataflow.TaintTracking
 private import semmle.code.cpp.security.FlowSources
 private import semmle.code.cpp.security.CommandExecution
+private import semmle.code.cpp.controlflow.IRGuards
 
 /**
- * Generic case: invoke protocol handling through OS's protocol handling utilities. This aligns with CVE-2022-43550.
+ * Holds when `call` invokes a system function (system, popen, exec*) with a command string
+ * that contains a URL protocol handler, `sink` is the argument carrying the URL, and
+ * `handlerType` describes which handler is invoked.
  */
-class ShellProtocolHandler extends SystemFunction {
-  ShellProtocolHandler() {
-    // Check if any calls to this function contain protocol handler invocations
-    exists(FunctionCall call |
-      call.getTarget() = this and
-      exists(Expr arg |
-        arg = call.getArgument(0).getAChild*() and
-        exists(StringLiteral sl | sl = arg or sl.getParent*() = arg |
-          sl.getValue()
-              .regexpMatch("(?i).*(rundll32.*url\\.dll.*FileProtocolHandler|xdg-open|\\bopen\\b).*")
-        )
-      )
+predicate isShellProtocolHandlerSink(FunctionCall call, Expr sink, string handlerType) {
+  call.getTarget() instanceof SystemFunction and
+  exists(StringLiteral sl |
+    sl.getParent*() = call.getArgument(0) and
+    (
+      sl.getValue().regexpMatch("(?i).*rundll32.*url\\.dll.*FileProtocolHandler.*") and
+      handlerType = "rundll32 url.dll,FileProtocolHandler"
+      or
+      sl.getValue().regexpMatch("(?i).*xdg-open.*") and
+      handlerType = "xdg-open"
+      or
+      sl.getValue().regexpMatch("(?i).*\\bopen\\b.*") and
+      handlerType = "open"
     )
-  }
-
-  string getHandlerType() {
-    exists(FunctionCall call, StringLiteral sl |
-      call.getTarget() = this and
-      sl.getParent*() = call.getArgument(0) and
-      (
-        sl.getValue().regexpMatch("(?i).*rundll32.*url\\.dll.*FileProtocolHandler.*") and
-        result = "rundll32 url.dll,FileProtocolHandler"
-        or
-        sl.getValue().regexpMatch("(?i).*xdg-open.*") and
-        result = "xdg-open"
-        or
-        sl.getValue().regexpMatch("(?i).*\\bopen\\b.*") and
-        result = "open"
-      )
-    )
-  }
+  ) and
+  sink = call.getArgument(0)
 }
 
 /**
- * Qt's QDesktopServices::openUrl method
+ * Holds when `call` invokes QDesktopServices::openUrl and `sink` is the URL argument.
  */
-class QtProtocolHandler extends FunctionCall {
-  QtProtocolHandler() { this.getTarget().hasQualifiedName("QDesktopServices", "openUrl") }
+predicate isQtProtocolHandlerSink(FunctionCall call, Expr sink) {
+  call.getTarget().hasQualifiedName("", "QDesktopServices", "openUrl") and
+  sink = call.getArgument(0)
+}
 
-  Expr getUrlArgument() { result = this.getArgument(0) }
+/**
+ * Gets the sink expression for a given DataFlow::Node matching either Qt or shell handler sinks.
+ */
+Expr getSinkExpr(DataFlow::Node sink) {
+  result = sink.asExpr() or
+  result = sink.asIndirectExpr()
 }
 
 /**
- * A sanitizer node that represents URL scheme validation
+ * Holds when `g` is a guard condition that validates the URL scheme of expression `e`.
+ * Flow is considered safe on the `branch` edge.
  */
-class UrlSchemeValidationSanitizer extends DataFlow::Node {
-  UrlSchemeValidationSanitizer() {
-    exists(FunctionCall fc |
-      fc = this.asExpr() and
-      (
-        // String comparison on the untrusted URL
-        fc.getTarget().getName() =
-          [
-            "strcmp", "strncmp", "strcasecmp", "strncasecmp", "strstr", "strcasestr", "_stricmp",
-            "_strnicmp"
-          ]
-        or
-        // Qt QUrl::scheme() comparison - QUrl::scheme() returns QString
-        // Pattern: url.scheme() == "http" or url.scheme() == "https"
-        exists(FunctionCall schemeCall |
-          schemeCall.getTarget().hasQualifiedName("QUrl", "scheme") and
-          (
-            // Direct comparison
-            fc.getTarget().hasName(["operator==", "operator!="]) and
-            fc.getAnArgument() = schemeCall
-            or
-            // QString comparison methods
-            fc = schemeCall and
-            exists(FunctionCall qstringCmp |
-              qstringCmp.getQualifier() = schemeCall and
-              qstringCmp.getTarget().hasQualifiedName("QString", ["compare", "operator=="])
-            )
-          )
-        )
-        or
-        // Qt QString startsWith check for direct URL strings
-        fc.getTarget().hasQualifiedName("QString", "startsWith")
-      )
+predicate urlSchemeGuardChecks(IRGuardCondition g, Expr e, boolean branch) {
+  branch = [true, false] and
+  exists(FunctionCall fc | g.getUnconvertedResultExpression().getAChild*() = fc |
+    // C string comparison on the URL (strcmp, strncmp, etc.)
+    fc.getTarget().getName() =
+      [
+        "strcmp", "strncmp", "strcasecmp", "strncasecmp", "strstr", "strcasestr", "_stricmp",
+        "_strnicmp"
+      ] and
+    e = fc.getAnArgument()
+    or
+    // Qt QString::startsWith check
+    fc.getTarget().hasQualifiedName("", "QString", "startsWith") and
+    e = fc.getQualifier()
+    or
+    // Qt QUrl::scheme() comparison
+    exists(FunctionCall schemeCall |
+      schemeCall.getTarget().hasQualifiedName("", "QUrl", "scheme") and
+      fc.getAnArgument() = schemeCall and
+      e = schemeCall.getQualifier()
     )
-  }
+  )
 }
 
 /**
- * Configuration for tracking untrusted data to protocol handler invocations
+ * Configuration for tracking untrusted data to protocol handler invocations.
  */
 module PotentiallyUnguardedProtocolHandlerConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) {
-    // QDesktopServices::openUrl()
-    exists(QtProtocolHandler call | sink.asExpr() = call.getUrlArgument())
+    isQtProtocolHandlerSink(_, getSinkExpr(sink))
     or
-    // Shell protocol handlers (rundll32, xdg-open, open) via system()/popen()/exec*()
-    exists(FunctionCall call |
-      call.getTarget() instanceof ShellProtocolHandler and
-      sink.asExpr() = call.getArgument(0)
-    )
+    isShellProtocolHandlerSink(_, getSinkExpr(sink), _)
   }
 
-  predicate isBarrier(DataFlow::Node node) { node instanceof UrlSchemeValidationSanitizer }
+  predicate isBarrier(DataFlow::Node node) {
+    node = DataFlow::BarrierGuard<urlSchemeGuardChecks/3>::getABarrierNode()
+    or
+    node = DataFlow::BarrierGuard<urlSchemeGuardChecks/3>::getAnIndirectBarrierNode()
+  }
 }
 
 module PotentiallyUnguardedProtocolHandlerFlow =
@@ -132,17 +114,10 @@ from
 where
   PotentiallyUnguardedProtocolHandlerFlow::flowPath(source, sink) and
   (
-    exists(QtProtocolHandler qtCall |
-      call = qtCall and
-      sink.getNode().asExpr() = qtCall.getUrlArgument() and
-      callType = "QDesktopServices::openUrl()"
-    )
+    isQtProtocolHandlerSink(call, getSinkExpr(sink.getNode())) and
+    callType = "QDesktopServices::openUrl()"
     or
-    exists(ShellProtocolHandler shellFunc |
-      call.getTarget() = shellFunc and
-      sink.getNode().asExpr() = call.getArgument(0) and
-      callType = shellFunc.getHandlerType()
-    )
+    isShellProtocolHandlerSink(call, getSinkExpr(sink.getNode()), callType)
   )
 select call, source, sink,
   callType + " is called with untrusted input from $@ without proper URL scheme validation.",
diff --git a/cpp/test/include/libc/stdint.h b/cpp/test/include/libc/stdint.h
@@ -6,6 +6,8 @@
 typedef unsigned char uint8_t;
 typedef unsigned short uint16_t;
 typedef unsigned int uint32_t;
+typedef unsigned long size_t;
+typedef long ssize_t;
 
 #endif
 #else // --- else USE_HEADERS
diff --git a/cpp/test/include/libc/stdlib.h b/cpp/test/include/libc/stdlib.h
@@ -7,6 +7,8 @@
 extern "C" {
 #endif
 
+extern int system(const char *);
+
 extern void *reallocf(void *, unsigned long);
 
 int rand(void) {
diff --git a/cpp/test/include/libc/string_stubs.h b/cpp/test/include/libc/string_stubs.h
@@ -28,6 +28,8 @@ extern int wprintf(const wchar_t * format, ...);
 extern wchar_t* wcscpy(wchar_t * s1, const wchar_t * s2);
 extern void perror(const char *s);
 extern int puts(const char *s);
+extern int strcmp(const char *, const char *);
+extern int strncmp(const char *, const char *, size_t);
 
 extern void openlog(const char*, int, int);
 extern void syslog(int, const char*, ...);
diff --git a/cpp/test/include/libc/unistd.h b/cpp/test/include/libc/unistd.h
@@ -7,6 +7,8 @@
 extern "C" {
 #endif
 
+ssize_t read(int, void *, size_t);
+
 void _exit(int);
 
 #ifdef  __cplusplus
diff --git a/cpp/test/query-tests/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.expected b/cpp/test/query-tests/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.expected
@@ -1,4 +1,12 @@
 edges
+| PotentiallyUnguardedProtocolHandler.cpp:27:11:27:13 | read output argument | PotentiallyUnguardedProtocolHandler.cpp:28:29:28:31 | *buf | provenance |  |
+| PotentiallyUnguardedProtocolHandler.cpp:39:11:39:13 | read output argument | PotentiallyUnguardedProtocolHandler.cpp:42:31:42:33 | *buf | provenance |  |
 nodes
+| PotentiallyUnguardedProtocolHandler.cpp:27:11:27:13 | read output argument | semmle.label | read output argument |
+| PotentiallyUnguardedProtocolHandler.cpp:28:29:28:31 | *buf | semmle.label | *buf |
+| PotentiallyUnguardedProtocolHandler.cpp:39:11:39:13 | read output argument | semmle.label | read output argument |
+| PotentiallyUnguardedProtocolHandler.cpp:42:31:42:33 | *buf | semmle.label | *buf |
 subpaths
 #select
+| PotentiallyUnguardedProtocolHandler.cpp:28:3:28:27 | call to openUrl | PotentiallyUnguardedProtocolHandler.cpp:27:11:27:13 | read output argument | PotentiallyUnguardedProtocolHandler.cpp:28:29:28:31 | *buf | QDesktopServices::openUrl() is called with untrusted input from $@ without proper URL scheme validation. | PotentiallyUnguardedProtocolHandler.cpp:27:11:27:13 | read output argument | this source |
+| PotentiallyUnguardedProtocolHandler.cpp:42:5:42:29 | call to openUrl | PotentiallyUnguardedProtocolHandler.cpp:39:11:39:13 | read output argument | PotentiallyUnguardedProtocolHandler.cpp:42:31:42:33 | *buf | QDesktopServices::openUrl() is called with untrusted input from $@ without proper URL scheme validation. | PotentiallyUnguardedProtocolHandler.cpp:39:11:39:13 | read output argument | this source |
diff --git a/cpp/test/query-tests/security/PotentiallyUnguardedProtocolHandler/test.cpp b/cpp/test/query-tests/security/PotentiallyUnguardedProtocolHandler/test.cpp
diff --git a/java/src/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.qhelp b/java/src/security/PotentiallyUnguardedProtocolHandler/PotentiallyUnguardedProtocolHandler.qhelp
@@ -14,6 +14,15 @@
             they come from untrusted sources.
         </p>
     </recommendation>
+    <example>
+        <sample src="PotentiallyUnguardedProtocolHandler.java" />
+        <p>
+            In the bad example, an untrusted URL is passed directly to <code>Desktop.browse()</code>
+            without any scheme validation.
+            In the good example, the URL scheme is checked with <code>getScheme()</code> before
+            invoking the handler.
+        </p>
+    </example>
     <references>
         <li> Positive Security: <a
                 href="https://positive.security/blog/url-open-rce">Allow
