Ruby: stop rb/sensitive-get-query from considering ID type data as sensitive

Author: alexrford

ruby/ql/src/queries/security/cwe-598/SensitiveGetQuery.ql

@@ -38,6 +38,7 @@ from
 where
   handler.getAnHttpMethod() = "get" and
   input.asExpr().getExpr().getEnclosingMethod() = handler and
-  localFlowWithElementReference(input, sensitive)
+  localFlowWithElementReference(input, sensitive) and
+  not sensitive.getClassification() = SensitiveDataClassification::id()
 select input, "$@ for GET requests uses query parameter as sensitive data.", handler,
   "Route handler"

ruby/ql/test/query-tests/security/cwe-598/SensitiveGetQuery.expected

@@ -1,2 +1 @@
 | app/controllers/users_controller.rb:4:16:4:21 | call to params | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:3:3:6:5 | login_get | Route handler |
-| app/controllers/users_controller.rb:5:23:5:28 | call to params | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:3:3:6:5 | login_get | Route handler |

ruby/ql/test/query-tests/security/cwe-598/app/controllers/users_controller.rb

@@ -2,12 +2,12 @@ class UsersController < ApplicationController
 
   def login_get
     password = params[:password] # BAD: route handler uses GET query parameters to receive sensitive data
-    authenticate_user(params[:username], password) # BAD: route handler uses GET query parameters to receive sensitive data
+    authenticate_user(params[:username], password)
   end
 
   def login_post
     password = params[:password] # GOOD: handler uses POST form parameters to receive sensitive data
-    authenticate_user(params[:username], password) # GOOD: handler uses POST form parameters to receive sensitive data
+    authenticate_user(params[:username], password)
   end
 
   private