Add a query for server-side request forgery

ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.expected

@@ -0,0 +1,8 @@
+edges
+| ServerSideRequestForgery.rb:9:32:9:37 | call to params :  | ServerSideRequestForgery.rb:10:31:10:62 | "#{...}/logins" |
+nodes
+| ServerSideRequestForgery.rb:9:32:9:37 | call to params :  | semmle.label | call to params :  |
+| ServerSideRequestForgery.rb:10:31:10:62 | "#{...}/logins" | semmle.label | "#{...}/logins" |
+subpaths
+#select
+| ServerSideRequestForgery.rb:10:31:10:62 | "#{...}/logins" | ServerSideRequestForgery.rb:9:32:9:37 | call to params :  | ServerSideRequestForgery.rb:10:31:10:62 | "#{...}/logins" | Untrusted HTTP request due to $@. | ServerSideRequestForgery.rb:9:32:9:37 | call to params | a user-provided value |

ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.qlref

@@ -0,0 +1 @@
+queries/security/cwe-918/ServerSideRequestForgery.ql

ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.rb

@@ -0,0 +1,21 @@
+require "Excon"
+require "json"
+
+class PostsController < ActionController::Base
+    def create
+        user = params[:user_id]
+
+        # BAD - user can control the entire URL of the request
+        users_service_domain = params[:users_service_domain]
+        response = Excon.post("#{users_service_domain}/logins", body: {user_id: user}).body
+        token = JSON.parse(response)["token"]
+
+        # GOOD - user can only control the suffix of the URL
+        users_service_path = params[:users_service_path]
+        response = Excon.post("users-service/#{users_service_path}", body: {user_id: user}).body
+        token = JSON.parse(response)["token"]
+
+        @post = Post.create(params[:post].merge(user_token: token))
+        render @post
+    end
+end