Update metadata of Ruby SSRF query

Author: hmac

ruby/ql/src/queries/security/cwe-918/ServerSideRequestForgery.ql

@@ -1,12 +1,11 @@
 /**
- * @name Server Side Request Forgery
- * @description Making a request to a URL that is controlled by user input
- *              can allow an attacker to forge requests to internal services.
+ * @name Uncontrolled data used in network request
+ * @description Making a network request with user-controlled data allows for request forgery attacks.
  * @kind path-problem
  * @problem.severity error
- * @security-severity TODO
+ * @security-severity 9.1
  * @precision medium
- * @id rb/server-side-request-forgery
+ * @id rb/request-forgery
  * @tags security
  *       external/cwe/cwe-918
  */
@@ -20,5 +19,5 @@ import codeql.ruby.security.ServerSideRequestForgeryQuery
 
 from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Untrusted HTTP request due to $@.", source.getNode(),
+select sink.getNode(), source, sink, "The URL of this request depends on $@.", source.getNode(),
   "a user-provided value"

ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.expected

@@ -5,4 +5,4 @@ nodes
 | ServerSideRequestForgery.rb:10:31:10:62 | "#{...}/logins" | semmle.label | "#{...}/logins" |
 subpaths
 #select
-| ServerSideRequestForgery.rb:10:31:10:62 | "#{...}/logins" | ServerSideRequestForgery.rb:9:32:9:37 | call to params :  | ServerSideRequestForgery.rb:10:31:10:62 | "#{...}/logins" | Untrusted HTTP request due to $@. | ServerSideRequestForgery.rb:9:32:9:37 | call to params | a user-provided value |
+| ServerSideRequestForgery.rb:10:31:10:62 | "#{...}/logins" | ServerSideRequestForgery.rb:9:32:9:37 | call to params :  | ServerSideRequestForgery.rb:10:31:10:62 | "#{...}/logins" | The URL of this request depends on $@. | ServerSideRequestForgery.rb:9:32:9:37 | call to params | a user-provided value |