add qhelp file

ruby/ql/src/experimental/weak-params/WeakParams.qhelp

@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>
+      Directly checking request parameters without following a strong params
+      pattern can lead to unintentional avenues for injection attacks.
+    </p>
+  </overview>
+  <recommendation>
+    <p>
+      Instead of manually checking parameters from the `param` object, it is
+      recommended that you follow the strong parameters pattern established in
+      Rails: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html
+    </p>
+    <p>
+      In the strong parameters pattern, you are able to specify required and allowed
+      parameters for each action called by your controller methods. This acts as an
+      additional layer of data validation before being passed along to other areas
+      of your application, such as the model.
+    </p>
+  </recommendation>
+  
+  <references>
+  
+  </references>
+</qhelp>

ruby/ql/src/experimental/weak-params/WeakParams.ql

@@ -4,9 +4,10 @@
  * @kind path-problem
  * @problem.severity error
  * @security-severity 5.0
- * @precision low
+ * @precision medium
  * @id rb/weak-params
  * @tags security
+ *       external/cwe/cwe-223
  */
 
 import ruby
@@ -64,12 +65,13 @@ class ParamsReference extends ElementReference {
 }
 
 /**
- * returns either Model or ViewModel classes with a base class of `ViewModel` or includes `ActionModel::Model`,
+ * returns either Model or ViewModel classes with a base class of `ViewModel`, `ApplicationRecord` or includes `ActionModel::Model`,
  * which are required to support the strong parameters pattern
  */
 class ModelClass extends ModuleBase {
   ModelClass() {
     this.getModule().getSuperClass+().toString() = "ViewModel" or
+    this.getModule().getSuperClass+().toString() = "ApplicationRecord" or
     this.getModule().getSuperClass+().getAnIncludedModule().toString() = "ActionModel::Model"
   }
 }