Ruby: reduce duplicate alerts for csrf query

Only generate an alert on the top-most vulnerable Rails controller in
the controller tree.

Author: hmac

ruby/ql/src/queries/security/cwe-352/CSRFProtectionNotEnabled.ql

@@ -18,7 +18,7 @@ import codeql.ruby.frameworks.Gemfile
 
 /**
  * Holds if a call to `protect_from_forgery` is made in the controller class `definedIn`,
- * which is inherited by the controller class `child`.
+ * which is inherited by the controller class `child`. These classes may be the same.
  */
 private predicate protectFromForgeryCall(
   ActionControllerClass definedIn, ActionControllerClass child,
@@ -45,5 +45,7 @@ where
     railsPreVersion3()
     or
     not any(MethodCall m).getMethodName() = ["csrf_meta_tags", "csrf_meta_tag"]
-  )
+  ) and
+  // Only generate alerts for the topmost controller in the tree.
+  not exists(ActionControllerClass parent | c = parent.getAnImmediateDescendent())
 select c, "Potential CSRF vulnerability due to forgery protection not being enabled."

ruby/ql/test/query-tests/security/cwe-352/CSRFProtectionNotEnabled.expected

@@ -1,2 +1 @@
 | railsapp/app/controllers/alternative_root_controller.rb:1:1:3:3 | AlternativeRootController | Potential CSRF vulnerability due to forgery protection not being enabled. |
-| railsapp/app/controllers/tags_controller.rb:1:1:2:3 | TagsController | Potential CSRF vulnerability due to forgery protection not being enabled. |