Adds queries for rsyslog's blogpost

Author: agustingianni

CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/01_find_data_input.ql

@@ -0,0 +1,15 @@
+import cpp
+
+class ReadFunctionCall extends FunctionCall {
+  ReadFunctionCall() {
+    this.getTarget().getName() = "pread" or
+    this.getTarget().getName() = "read" or
+    this.getTarget().getName() = "readv" or
+    this.getTarget().getName() = "recvfrom" or
+    this.getTarget().getName() = "recvmsg" or
+    this.getTarget().getName() = "recv"
+  }
+}
+
+from ReadFunctionCall call
+select call.getFile(), call.getEnclosingFunction(), call

CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/02_find_data_pointer_usage.ql

@@ -0,0 +1,16 @@
+import cpp
+
+class RawMessageFieldAccess extends FieldAccess {
+    RawMessageFieldAccess() {
+        this.getTarget().getName() = "pszRawMsg"
+    }
+}
+
+class RawMsgAccessFunction extends Function {
+    RawMsgAccessFunction() {
+        any(RawMessageFieldAccess access).getEnclosingFunction() = this
+    }
+}
+
+from RawMsgAccessFunction access
+select access.getFile(), access

CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/03_find_data_pointer_usage_extended.ql

@@ -0,0 +1,24 @@
+import cpp
+
+class RawMessageFieldAccess extends FieldAccess {
+    RawMessageFieldAccess() {
+        this.getTarget().getName() = "pszRawMsg"
+    }
+}
+
+class RawMsgAccessFunction extends Function {
+    RawMsgAccessFunction() {
+        any(RawMessageFieldAccess access).getEnclosingFunction() = this
+        or
+        exists(
+            FunctionCall call |
+            call.getEnclosingFunction() = this and (
+                call.getTarget().getName() = "getMSG" or
+                call.getTarget().getName() = "getRawMsg"
+            )
+        )
+    }
+}
+
+from RawMsgAccessFunction access
+select access.getFile(), access

CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/04_find_parsers.ql

@@ -0,0 +1,11 @@
+import cpp
+
+class ParseFunction extends Function {
+    ParseFunction() {
+        this.getName() = "parse" or
+        this.getName() = "parse2"
+    }
+}
+
+from ParseFunction parse
+select parse.getFile(), parse

CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/05_find_tainted_iterations.ql

@@ -0,0 +1,16 @@
+import cpp
+import semmle.code.cpp.dataflow.DataFlow
+import semmle.code.cpp.dataflow.TaintTracking
+
+class RawMessageFieldAccess extends FieldAccess {
+  RawMessageFieldAccess() {
+    this.getTarget().getName() = "pszRawMsg"
+  }
+}
+
+from DataFlow::Node source, DataFlow::Node sink, RawMessageFieldAccess access, WhileStmt loop
+where
+  TaintTracking::localTaint(source, sink) and
+  source.asExpr() = access and
+  sink.asExpr() = loop.getCondition().getAChild*()
+select "Loop iterates data from:", source, sink

CodeQL_Queries/cpp/rsyslog_CVE-2019-17041/README.md

@@ -0,0 +1,9 @@
+# Bug Hunting with CodeQL, an rsyslog Case Study
+
+This repo contains the CodeQL queries used in the [Bug Hunting with CodeQL, an rsyslog Case Study](https://securitylab.github.com/research/bug-hunting-codeql-rsyslog) blog post.
+
+- [Discovering program input](01_find_data_input.ql)
+- [Data flow exploration](02_find_data_pointer_usage.ql)
+- [Data flow exploration (extended)](03_find_data_pointer_usage_extended.ql)
+- [Finding data parsers](04_find_parsers.ql)
+- [Finding tainted loops](05_find_tainted_iterations.ql)