Ruby: stop rb/sensitive-get-query from considering ID type data as sensitive

2025-12-23 04:06:37 +01:00 · 2022-09-16 15:36:57 +01:00
parent 79ad7d293f
commit 08c8db8937
3 changed files with 4 additions and 4 deletions
--- a/ruby/ql/src/queries/security/cwe-598/SensitiveGetQuery.ql
+++ b/ruby/ql/src/queries/security/cwe-598/SensitiveGetQuery.ql
@@ -38,6 +38,7 @@ from
 where
  handler.getAnHttpMethod() = "get" and
  input.asExpr().getExpr().getEnclosingMethod() = handler and
-  localFlowWithElementReference(input, sensitive)
+  localFlowWithElementReference(input, sensitive) and
+  not sensitive.getClassification() = SensitiveDataClassification::id()
 select input, "$@ for GET requests uses query parameter as sensitive data.", handler,
  "Route handler"