brakeman 3.0.1 → 3.0.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: d05a06e338f3309b5430c67decda380b5bccd1e9
+  data.tar.gz: 79f70db112bdbcfa605b841f8375adeff1480220
+SHA512:
+  metadata.gz: 2b2d46615e3e2c2510db8d14eebea2c9da264eb2580e3307f2b7a176d4718447a637ba30898d009871df313dc775d9f0d0c0a17c8993db08b0cd1d947f8fb490
+  data.tar.gz: f046fd2458e86d5986149e3b6af15b611e992cae6c9cb5b65624a56ea1ead3faddc55b04e989f0060cf6445e1f1cf2b2a912dc00172faf207f3ea4a88bf7f6ab

data/CHANGES

@@ -1,3 +1,19 @@
+# 3.0.2
+
+* Alias process methods called in class scope on models
+* Treat primary_key, table_name_prefix, table_name_suffix as safe in SQL
+* Fix using --compare and --add-checks-path together
+* Avoid warning about mass assignment with string literals
+* Only report original regex DoS locations
+* Improve render path information implementation
+* Report correct file for simple_format usage CVE warning
+* Remove URI.escape from HTML reports with GitHub repos
+* Update ruby_parser to ~> 3.6.2
+* Remove formatting newlines in HAML template output
+* Ignore case value in XSS checks
+* Fix CSV output when there are no warnings
+* Handle processing of explictly shadowed block arguments
+
 # 3.0.1
 
 * Avoid protect_from_forgery warning unless ApplicationController inherits from ActionController::Base

data/lib/brakeman.rb

@@ -399,8 +399,6 @@ module Brakeman
     require 'brakeman/differ'
     raise ArgumentError.new("Comparison file doesn't exist") unless File.exists? options[:previous_results_json]
 
-    add_external_checks options
-
     begin
       previous_results = MultiJson.load(File.read(options[:previous_results_json]), :symbolize_keys => true)[:warnings]
     rescue MultiJson::DecodeError

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -260,6 +260,19 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
     exp
   end
 
+  def process_case exp
+    #Ignore user input in case value
+    #TODO: also ignore when values
+
+    current = 2
+    while current < exp.length
+      process exp[current] if exp[current]
+      current += 1
+    end
+
+    exp
+  end
+
   def setup
     @ignore_methods = Set[:button_to, :check_box, :content_tag, :escapeHTML, :escape_once,
                            :field_field, :fields_for, :h, :hidden_field,

data/lib/brakeman/checks/check_mass_assignment.rb

@@ -82,6 +82,8 @@ class Brakeman::CheckMassAssignment < Brakeman::BaseCheck
           confidence = CONFIDENCE[:low]
           user_input = input.match
         end
+      elsif node_type? call.first_arg, :lit, :str
+        return
       else
         confidence = CONFIDENCE[:low]
         user_input = nil

data/lib/brakeman/checks/check_regex_dos.rb

@@ -26,7 +26,7 @@ class Brakeman::CheckRegexDoS < Brakeman::BaseCheck
 
   #Warns if regex includes user input
   def process_result result
-    return if duplicate? result
+    return if duplicate? result or result[:call].original_line
     add_result result
 
     call = result[:call]

data/lib/brakeman/checks/check_simple_format.rb

@@ -53,7 +53,6 @@ class Brakeman::CheckSimpleFormat < Brakeman::CheckCrossSiteScripting
       :warning_code => :CVE_2013_6416_call,
       :message => "Values passed to simple_format are not safe in Rails #{@tracker.config[:rails_version]}",
       :confidence => CONFIDENCE[:high],
-      :gem_info => gemfile_or_environment,
       :link_path => "https://groups.google.com/d/msg/ruby-security-ann/5ZI1-H5OoIM/ZNq4FoR2GnIJ",
       :user_input => match.match
   end

data/lib/brakeman/checks/check_sql.rb

@@ -549,7 +549,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     :sanitize_sql, :sanitize_sql_array, :sanitize_sql_for_assignment,
     :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
-    :to_sql, :sanitize, :exists]
+    :to_sql, :sanitize, :exists, :primary_key, :table_name_prefix, :table_name_suffix]
 
   def safe_value? exp
     return true unless sexp? exp
@@ -558,7 +558,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     when :str, :lit, :const, :colon2, :nil, :true, :false
       true
     when :call
-      if exp.method == :to_s
+      if exp.method == :to_s or exp.method == :to_sym
         safe_value? exp.target
       else
         IGNORE_METHODS_IN_SQL.include? exp.method or

data/lib/brakeman/parsers/template_parser.rb

@@ -75,7 +75,7 @@ module Brakeman
       Brakeman.load_brakeman_dependency 'sass'
 
       Haml::Engine.new(text,
-                       :escape_html => !!tracker.config[:escape_html]).precompiled
+                       :escape_html => !!tracker.config[:escape_html]).precompiled.gsub(/([^\\])\\n/, '\1')
     end
 
     def parse_slim text

data/lib/brakeman/processors/alias_processor.rb

@@ -179,10 +179,10 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       exp.block_args.each do |e|
         #Force block arg(s) to be local
         if node_type? e, :lasgn
-          env.current[Sexp.new(:lvar, e.lhs)] = e.rhs
+          env.current[Sexp.new(:lvar, e.lhs)] = Sexp.new(:lvar, e.lhs)
         elsif node_type? e, :kwarg
           env.current[Sexp.new(:lvar, e[1])] = e[2]
-        elsif node_type? e, :masgn
+        elsif node_type? e, :masgn, :shadow
           e[1..-1].each do |var|
             local = Sexp.new(:lvar, var)
             env.current[local] = local

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -1,5 +1,6 @@
 require 'brakeman/processors/alias_processor'
 require 'brakeman/processors/lib/render_helper'
+require 'brakeman/processors/lib/render_path'
 require 'brakeman/processors/lib/find_return_value'
 
 #Processes aliasing in controllers, but includes following
@@ -170,7 +171,8 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
 
   #Process template and add the current class and method name as called_from info
   def process_template name, args
-    super name, args, ["#@current_class##@current_method"]
+    render_path = Brakeman::RenderPath.new.add_controller_render(@current_class, @current_method)
+    super name, args, render_path
   end
 
   #Turns a method name into a template name

data/lib/brakeman/processors/lib/render_path.rb

@@ -0,0 +1,100 @@
+module Brakeman
+  class RenderPath
+    attr_reader :path
+
+    def initialize
+      @path = []
+    end
+
+    def add_controller_render controller_name, method_name
+      method_name ||= ""
+
+      @path << { :type => :controller,
+                 :class => controller_name.to_sym,
+                 :method => method_name.to_sym }
+
+      self
+    end
+
+    def add_template_render template_name
+      @path << { :type => :template,
+                 :name => template_name.to_sym }
+
+      self
+    end
+
+    def include_template? name
+      name = name.to_sym
+
+      @path.any? do |loc|
+        loc[:type] == :template and loc[:name] == name
+      end
+    end
+
+    def include_controller? klass
+      klass = klass.to_sym
+
+      @path.any? do |loc|
+        loc[:type] == :controller and loc[:class] == klass
+      end
+    end
+
+    def include_any_method? method_names
+      names = method_names.map(&:to_sym)
+
+      @path.any? do |loc|
+        loc[:type] == :controller and names.include? loc[:method]
+      end
+    end
+
+    def rendered_from_controller?
+      @path.any? do |loc|
+        loc[:type] == :controller
+      end
+    end
+
+    def each &block
+      @path.each &block
+    end
+
+    def join *args
+      self.to_a.join *args
+    end
+
+    def length
+      @path.length
+    end
+
+    def to_a
+      @path.map do |loc|
+        case loc[:type]
+        when :template
+          "Template:#{loc[:name]}"
+        when :controller
+          "#{loc[:class]}##{loc[:method]}"
+        end
+      end
+    end
+
+    def last
+      self.to_a.last
+    end
+
+    def to_s
+      self.to_a.to_s
+    end
+
+    def to_sym
+      self.to_s.to_sym
+    end
+
+    def to_json *args
+      MultiJson.dump(self.to_a)
+    end
+
+    def initialize_copy original
+      @path = original.path.dup
+      self
+    end
+  end
+end

data/lib/brakeman/processors/model_processor.rb

@@ -170,7 +170,8 @@ class Brakeman::ModelProcessor < Brakeman::BaseProcessor
           end
         end
       end
-      ignore
+
+      exp
     else
       call = make_call target, method, process_all!(exp.args)
       call.line(exp.line)

data/lib/brakeman/processors/template_alias_processor.rb

@@ -1,6 +1,7 @@
 require 'set'
 require 'brakeman/processors/alias_processor'
 require 'brakeman/processors/lib/render_helper'
+require 'brakeman/processors/lib/render_path'
 require 'brakeman/tracker'
 
 #Processes aliasing in templates.
@@ -19,14 +20,14 @@ class Brakeman::TemplateAliasProcessor < Brakeman::AliasProcessor
   #Process template
   def process_template name, args
     if @called_from
-      unless @called_from.grep(/Template:#{name}$/).empty?
+      if @called_from.include_template? name
         Brakeman.debug "Skipping circular render from #{@template[:name]} to #{name}"
         return
       end
 
-      super name, args, @called_from + ["Template:#{@template[:name]}"]
+      super name, args, @called_from.dup.add_template_render(@template[:name])
     else
-      super name, args, ["Template:#{@template[:name]}"]
+      super name, args, Brakeman::RenderPath.new.add_template_render(@template[:name])
     end
   end
 

data/lib/brakeman/report/report_html.rb

@@ -195,7 +195,7 @@ class Brakeman::Report::HTML < Brakeman::Report::Base
 
     if warning.file
       github_url = github_url warning.file, warning.line
-      message.gsub!(/(near line \d+)/, "<a href='#{URI.escape github_url, /'/}' target='_blank'>\\1</a>") if github_url
+      message.gsub!(/(near line \d+)/, "<a href=\"#{github_url}\" target='_blank'>\\1</a>") if github_url
     end
 
     if @highlight_user_input and warning.user_input

data/lib/brakeman/rescanner.rb

@@ -113,7 +113,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
       if controller[:files].include?(path)
         tracker.templates.each do |template_name, template|
           next unless template[:caller]
-          unless template[:caller].grep(/^#{name}#/).empty?
+          if template[:caller].include_controller? name
             tracker.reset_template template_name
           end
         end
@@ -142,21 +142,18 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
     rescan = Set.new
 
-    template_matcher = /^Template:(.+)/
-    controller_matcher = /^(.+Controller)#(.+)/
-    template_name_matcher = /^#{template_name}\./
-
     #Search for processed template and process it.
     #Search for rendered versions of template and re-render (if necessary)
     tracker.templates.each do |name, template|
       if template[:file] == path or template[:file].nil?
-        next unless template[:caller] and name.to_s.match(template_name_matcher)
+        next unless template[:caller] and template[:name].to_sym == template_name.to_sym
 
         template[:caller].each do |from|
-          if from.match(template_matcher)
-            rescan << [:template, $1.to_sym]
-          elsif from.match(controller_matcher)
-            rescan << [:controller, $1.to_sym, $2.to_sym]
+          case from[:type]
+          when :template
+            rescan << [:template, from[:name]]
+          when :controller
+            rescan << [:controller, from[:class], from[:method]]
           end
         end
       end
@@ -272,13 +269,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
     #Remove any rendered versions, or partials rendered from it
     tracker.templates.delete_if do |name, template|
-      if template[:file] == path
-        true
-      elsif template[:file].nil?
-        name = name.to_s
-
-        name.match(rendered_from_controller) or name.match(rendered_from_view)
-      end
+      template[:file] == path or template[:name].to_sym == template_name.to_sym
     end
   end
 
@@ -356,8 +347,6 @@ class Brakeman::Rescanner < Brakeman::Scanner
       end
     end
 
-    method_matcher = /##{method_names.map {|n| Regexp.escape(n.to_s)}.join('|')}$/
-
     to_rescan = []
 
     #Rescan controllers that mixed in library
@@ -384,7 +373,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
     tracker.templates.each do |name, template|
       next unless template[:caller]
 
-      unless template[:caller].grep(method_matcher).empty?
+      if template[:caller].include_any_method? method_names
         name.to_s.match /^([^.]+)/
 
         original = tracker.templates[$1.to_sym]

data/lib/brakeman/tracker.rb

@@ -257,7 +257,7 @@ class Brakeman::Tracker
   def reset_templates options = { :only_rendered => false }
     if options[:only_rendered]
       @templates.delete_if do |name, template|
-        name.to_s.include? "Controller#"
+        template[:caller] and template[:caller].rendered_from_controller?
       end
     else
       @templates = {}
@@ -311,11 +311,10 @@ class Brakeman::Tracker
     @controllers.each do |name, controller|
       if controller[:files].include?(path)
         controller_name = name
-        template_matcher = /^#{name}#/
 
         #Remove templates rendered from this controller
         @templates.each do |template_name, template|
-          if template[:caller] and not template[:caller].grep(template_matcher).empty?
+          if template[:caller] and template[:caller].include_controller? name
             reset_template template_name
             @call_index.remove_template_indexes template_name
           end

data/lib/brakeman/util.rb

@@ -423,6 +423,8 @@ module Brakeman::Util
 
   # rely on Terminal::Table to build the structure, extract the data out in CSV format
   def table_to_csv table
+    return "" unless table
+
     Brakeman.load_brakeman_dependency 'terminal-table'
     output = CSV.generate_line(table.headings.cells.map{|cell| cell.to_s.strip})
     table.rows.each do |row|

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.0.1"
+  Version = "3.0.2"
 end

metadata

@@ -1,14 +1,13 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: brakeman
-version: !ruby/object:Gem::Version 
-  prerelease: 
-  version: 3.0.1
+version: !ruby/object:Gem::Version
+  version: 3.0.2
 platform: ruby
-authors: 
+authors:
 - Justin Collins
 autorequire: 
 bindir: bin
-cert_chain: 
+cert_chain:
 - |
   -----BEGIN CERTIFICATE-----
   MIIDijCCAnKgAwIBAgIBATANBgkqhkiG9w0BAQUFADBFMQ8wDQYDVQQDDAZqdXN0
@@ -31,295 +30,323 @@ cert_chain:
   bxoxp9KNxkO+709YwLO1rYfmcGghg8WV6MYz3PSHdlgWF4KrjRFc/00hXHqVk0Sf
   mREEv2LPwHH2SgpSSab+iawnX4l6lV8XcIrmp/HSMySsPVFBeOmB0c05LpEN8w==
   -----END CERTIFICATE-----
-
-date: 2015-01-23 00:00:00 Z
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2015-03-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: test-unit
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        version: "0"
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: ruby_parser
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        version: 3.5.0
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: ruby_parser
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.6.2
   type: :runtime
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: ruby2ruby
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 3.6.2
+- !ruby/object:Gem::Dependency
+  name: ruby2ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
         version: 2.1.1
   type: :runtime
-  version_requirements: *id003
-- !ruby/object:Gem::Dependency 
-  name: terminal-table
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        version: "1.4"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.1.1
+- !ruby/object:Gem::Dependency
+  name: terminal-table
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
   type: :runtime
-  version_requirements: *id004
-- !ruby/object:Gem::Dependency 
-  name: fastercsv
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        version: "1.5"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.4'
+- !ruby/object:Gem::Dependency
+  name: fastercsv
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
   type: :runtime
-  version_requirements: *id005
-- !ruby/object:Gem::Dependency 
-  name: highline
   prerelease: false
-  requirement: &id006 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: highline
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
         version: 1.6.20
   type: :runtime
-  version_requirements: *id006
-- !ruby/object:Gem::Dependency 
-  name: erubis
   prerelease: false
-  requirement: &id007 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        version: "2.6"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.6.20
+- !ruby/object:Gem::Dependency
+  name: erubis
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
   type: :runtime
-  version_requirements: *id007
-- !ruby/object:Gem::Dependency 
-  name: haml
   prerelease: false
-  requirement: &id008 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.6'
+- !ruby/object:Gem::Dependency
+  name: haml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
     - - ">="
-      - !ruby/object:Gem::Version 
-        version: "3.0"
-    - - <
-      - !ruby/object:Gem::Version 
-        version: "5.0"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
   type: :runtime
-  version_requirements: *id008
-- !ruby/object:Gem::Dependency 
-  name: sass
   prerelease: false
-  requirement: &id009 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        version: "3.0"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.0'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: sass
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
   type: :runtime
-  version_requirements: *id009
-- !ruby/object:Gem::Dependency 
-  name: multi_json
   prerelease: false
-  requirement: &id010 !ruby/object:Gem::Requirement 
-    none: false
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        version: "1.2"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: multi_json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
   type: :runtime
-  version_requirements: *id010
-description: Brakeman detects security vulnerabilities in Ruby on Rails applications via static analysis.
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.2'
+description: Brakeman detects security vulnerabilities in Ruby on Rails applications
+  via static analysis.
 email: gem@brakeman.org
-executables: 
+executables:
 - brakeman
 extensions: []
-
 extra_rdoc_files: []
-
-files: 
-- bin/brakeman
+files:
 - CHANGES
-- WARNING_TYPES
 - FEATURES
 - README.md
+- WARNING_TYPES
+- bin/brakeman
 - lib/brakeman.rb
-- lib/ruby_parser/bm_sexp.rb
-- lib/ruby_parser/bm_sexp_processor.rb
 - lib/brakeman/app_tree.rb
-- lib/brakeman/call_index.rb
 - lib/brakeman/brakeman.rake
-- lib/brakeman/scanner.rb
-- lib/brakeman/options.rb
-- lib/brakeman/warning_codes.rb
-- lib/brakeman/differ.rb
-- lib/brakeman/checks/check_model_attr_accessible.rb
-- lib/brakeman/checks/check_i18n_xss.rb
-- lib/brakeman/checks/check_digest_dos.rb
-- lib/brakeman/checks/check_session_settings.rb
-- lib/brakeman/checks/check_redirect.rb
-- lib/brakeman/checks/check_model_serialize.rb
-- lib/brakeman/checks/check_regex_dos.rb
-- lib/brakeman/checks/check_validation_regex.rb
-- lib/brakeman/checks/check_single_quotes.rb
+- lib/brakeman/call_index.rb
+- lib/brakeman/checks.rb
+- lib/brakeman/checks/base_check.rb
+- lib/brakeman/checks/check_basic_auth.rb
+- lib/brakeman/checks/check_content_tag.rb
+- lib/brakeman/checks/check_create_with.rb
+- lib/brakeman/checks/check_cross_site_scripting.rb
+- lib/brakeman/checks/check_default_routes.rb
+- lib/brakeman/checks/check_deserialize.rb
 - lib/brakeman/checks/check_detailed_exceptions.rb
-- lib/brakeman/checks/check_file_access.rb
-- lib/brakeman/checks/check_unscoped_find.rb
-- lib/brakeman/checks/check_forgery_setting.rb
-- lib/brakeman/checks/check_symbol_dos.rb
+- lib/brakeman/checks/check_digest_dos.rb
+- lib/brakeman/checks/check_escape_function.rb
+- lib/brakeman/checks/check_evaluation.rb
 - lib/brakeman/checks/check_execute.rb
-- lib/brakeman/checks/check_safe_buffer_manipulation.rb
-- lib/brakeman/checks/check_skip_before_filter.rb
-- lib/brakeman/checks/check_default_routes.rb
+- lib/brakeman/checks/check_file_access.rb
 - lib/brakeman/checks/check_file_disclosure.rb
-- lib/brakeman/checks/check_basic_auth.rb
-- lib/brakeman/checks/check_render.rb
-- lib/brakeman/checks/base_check.rb
-- lib/brakeman/checks/check_mass_assignment.rb
-- lib/brakeman/checks/check_sanitize_methods.rb
-- lib/brakeman/checks/check_simple_format.rb
-- lib/brakeman/checks/check_select_vulnerability.rb
-- lib/brakeman/checks/check_send_file.rb
-- lib/brakeman/checks/check_response_splitting.rb
-- lib/brakeman/checks/check_ssl_verify.rb
 - lib/brakeman/checks/check_filter_skipping.rb
+- lib/brakeman/checks/check_forgery_setting.rb
+- lib/brakeman/checks/check_header_dos.rb
+- lib/brakeman/checks/check_i18n_xss.rb
 - lib/brakeman/checks/check_jruby_xml.rb
-- lib/brakeman/checks/check_escape_function.rb
-- lib/brakeman/checks/check_strip_tags.rb
 - lib/brakeman/checks/check_json_parsing.rb
-- lib/brakeman/checks/check_select_tag.rb
-- lib/brakeman/checks/check_translate_bug.rb
-- lib/brakeman/checks/check_quote_table_name.rb
-- lib/brakeman/checks/check_sql.rb
-- lib/brakeman/checks/check_yaml_parsing.rb
-- lib/brakeman/checks/check_render_inline.rb
-- lib/brakeman/checks/check_cross_site_scripting.rb
+- lib/brakeman/checks/check_link_to.rb
 - lib/brakeman/checks/check_link_to_href.rb
-- lib/brakeman/checks/check_deserialize.rb
+- lib/brakeman/checks/check_mail_to.rb
+- lib/brakeman/checks/check_mass_assignment.rb
+- lib/brakeman/checks/check_model_attr_accessible.rb
 - lib/brakeman/checks/check_model_attributes.rb
-- lib/brakeman/checks/check_number_to_currency.rb
-- lib/brakeman/checks/check_content_tag.rb
-- lib/brakeman/checks/check_symbol_dos_cve.rb
+- lib/brakeman/checks/check_model_serialize.rb
 - lib/brakeman/checks/check_nested_attributes.rb
+- lib/brakeman/checks/check_number_to_currency.rb
+- lib/brakeman/checks/check_quote_table_name.rb
+- lib/brakeman/checks/check_redirect.rb
+- lib/brakeman/checks/check_regex_dos.rb
+- lib/brakeman/checks/check_render.rb
+- lib/brakeman/checks/check_render_dos.rb
+- lib/brakeman/checks/check_render_inline.rb
+- lib/brakeman/checks/check_response_splitting.rb
+- lib/brakeman/checks/check_safe_buffer_manipulation.rb
+- lib/brakeman/checks/check_sanitize_methods.rb
+- lib/brakeman/checks/check_select_tag.rb
+- lib/brakeman/checks/check_select_vulnerability.rb
 - lib/brakeman/checks/check_send.rb
-- lib/brakeman/checks/check_unsafe_reflection.rb
-- lib/brakeman/checks/check_evaluation.rb
+- lib/brakeman/checks/check_send_file.rb
+- lib/brakeman/checks/check_session_settings.rb
+- lib/brakeman/checks/check_simple_format.rb
+- lib/brakeman/checks/check_single_quotes.rb
+- lib/brakeman/checks/check_skip_before_filter.rb
+- lib/brakeman/checks/check_sql.rb
 - lib/brakeman/checks/check_sql_cves.rb
-- lib/brakeman/checks/check_mail_to.rb
+- lib/brakeman/checks/check_ssl_verify.rb
+- lib/brakeman/checks/check_strip_tags.rb
+- lib/brakeman/checks/check_symbol_dos.rb
+- lib/brakeman/checks/check_symbol_dos_cve.rb
+- lib/brakeman/checks/check_translate_bug.rb
+- lib/brakeman/checks/check_unsafe_reflection.rb
+- lib/brakeman/checks/check_unscoped_find.rb
+- lib/brakeman/checks/check_validation_regex.rb
 - lib/brakeman/checks/check_without_protection.rb
-- lib/brakeman/checks/check_create_with.rb
-- lib/brakeman/checks/check_header_dos.rb
-- lib/brakeman/checks/check_link_to.rb
-- lib/brakeman/checks/check_render_dos.rb
-- lib/brakeman/processor.rb
+- lib/brakeman/checks/check_yaml_parsing.rb
+- lib/brakeman/differ.rb
 - lib/brakeman/file_parser.rb
-- lib/brakeman/version.rb
 - lib/brakeman/format/style.css
-- lib/brakeman/checks.rb
-- lib/brakeman/tracker.rb
-- lib/brakeman/parsers/rails3_erubis.rb
+- lib/brakeman/options.rb
 - lib/brakeman/parsers/rails2_erubis.rb
-- lib/brakeman/parsers/template_parser.rb
 - lib/brakeman/parsers/rails2_xss_plugin_erubis.rb
-- lib/brakeman/util.rb
-- lib/brakeman/report.rb
-- lib/brakeman/warning.rb
+- lib/brakeman/parsers/rails3_erubis.rb
+- lib/brakeman/parsers/template_parser.rb
+- lib/brakeman/processor.rb
 - lib/brakeman/processors/alias_processor.rb
-- lib/brakeman/processors/output_processor.rb
-- lib/brakeman/processors/template_processor.rb
-- lib/brakeman/processors/erubis_template_processor.rb
-- lib/brakeman/processors/erb_template_processor.rb
-- lib/brakeman/processors/model_processor.rb
-- lib/brakeman/processors/template_alias_processor.rb
+- lib/brakeman/processors/base_processor.rb
 - lib/brakeman/processors/config_processor.rb
 - lib/brakeman/processors/controller_alias_processor.rb
+- lib/brakeman/processors/controller_processor.rb
+- lib/brakeman/processors/erb_template_processor.rb
+- lib/brakeman/processors/erubis_template_processor.rb
+- lib/brakeman/processors/gem_processor.rb
 - lib/brakeman/processors/haml_template_processor.rb
-- lib/brakeman/processors/base_processor.rb
-- lib/brakeman/processors/lib/find_return_value.rb
-- lib/brakeman/processors/lib/rails3_route_processor.rb
-- lib/brakeman/processors/lib/find_all_calls.rb
 - lib/brakeman/processors/lib/basic_processor.rb
-- lib/brakeman/processors/lib/rails2_route_processor.rb
-- lib/brakeman/processors/lib/route_helper.rb
+- lib/brakeman/processors/lib/find_all_calls.rb
 - lib/brakeman/processors/lib/find_call.rb
-- lib/brakeman/processors/lib/render_helper.rb
-- lib/brakeman/processors/lib/rails3_config_processor.rb
-- lib/brakeman/processors/lib/rails2_config_processor.rb
+- lib/brakeman/processors/lib/find_return_value.rb
 - lib/brakeman/processors/lib/processor_helper.rb
-- lib/brakeman/processors/controller_processor.rb
-- lib/brakeman/processors/slim_template_processor.rb
+- lib/brakeman/processors/lib/rails2_config_processor.rb
+- lib/brakeman/processors/lib/rails2_route_processor.rb
+- lib/brakeman/processors/lib/rails3_config_processor.rb
+- lib/brakeman/processors/lib/rails3_route_processor.rb
+- lib/brakeman/processors/lib/render_helper.rb
+- lib/brakeman/processors/lib/render_path.rb
+- lib/brakeman/processors/lib/route_helper.rb
 - lib/brakeman/processors/library_processor.rb
-- lib/brakeman/processors/gem_processor.rb
+- lib/brakeman/processors/model_processor.rb
+- lib/brakeman/processors/output_processor.rb
 - lib/brakeman/processors/route_processor.rb
-- lib/brakeman/report/report_markdown.rb
+- lib/brakeman/processors/slim_template_processor.rb
+- lib/brakeman/processors/template_alias_processor.rb
+- lib/brakeman/processors/template_processor.rb
+- lib/brakeman/report.rb
+- lib/brakeman/report/ignore/config.rb
+- lib/brakeman/report/ignore/interactive.rb
+- lib/brakeman/report/initializers/faster_csv.rb
+- lib/brakeman/report/initializers/multi_json.rb
+- lib/brakeman/report/renderer.rb
 - lib/brakeman/report/report_base.rb
+- lib/brakeman/report/report_csv.rb
 - lib/brakeman/report/report_hash.rb
+- lib/brakeman/report/report_html.rb
+- lib/brakeman/report/report_json.rb
+- lib/brakeman/report/report_markdown.rb
+- lib/brakeman/report/report_table.rb
+- lib/brakeman/report/report_tabs.rb
 - lib/brakeman/report/templates/controller_overview.html.erb
-- lib/brakeman/report/templates/security_warnings.html.erb
-- lib/brakeman/report/templates/warning_overview.html.erb
-- lib/brakeman/report/templates/ignored_warnings.html.erb
-- lib/brakeman/report/templates/model_warnings.html.erb
 - lib/brakeman/report/templates/controller_warnings.html.erb
-- lib/brakeman/report/templates/overview.html.erb
 - lib/brakeman/report/templates/error_overview.html.erb
-- lib/brakeman/report/templates/view_warnings.html.erb
 - lib/brakeman/report/templates/header.html.erb
+- lib/brakeman/report/templates/ignored_warnings.html.erb
+- lib/brakeman/report/templates/model_warnings.html.erb
+- lib/brakeman/report/templates/overview.html.erb
+- lib/brakeman/report/templates/security_warnings.html.erb
 - lib/brakeman/report/templates/template_overview.html.erb
-- lib/brakeman/report/ignore/config.rb
-- lib/brakeman/report/ignore/interactive.rb
-- lib/brakeman/report/renderer.rb
-- lib/brakeman/report/report_table.rb
-- lib/brakeman/report/report_html.rb
-- lib/brakeman/report/report_csv.rb
-- lib/brakeman/report/report_tabs.rb
-- lib/brakeman/report/initializers/faster_csv.rb
-- lib/brakeman/report/initializers/multi_json.rb
-- lib/brakeman/report/report_json.rb
+- lib/brakeman/report/templates/view_warnings.html.erb
+- lib/brakeman/report/templates/warning_overview.html.erb
 - lib/brakeman/rescanner.rb
+- lib/brakeman/scanner.rb
+- lib/brakeman/tracker.rb
+- lib/brakeman/util.rb
+- lib/brakeman/version.rb
+- lib/brakeman/warning.rb
+- lib/brakeman/warning_codes.rb
+- lib/ruby_parser/bm_sexp.rb
+- lib/ruby_parser/bm_sexp_processor.rb
 homepage: http://brakemanscanner.org
-licenses: 
+licenses:
 - MIT
+metadata: {}
 post_install_message: 
 rdoc_options: []
-
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version 
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
-  none: false
-  requirements: 
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
   - - ">="
-    - !ruby/object:Gem::Version 
-      version: "0"
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: 
-rubygems_version: 1.8.5
+rubygems_version: 2.2.2
 signing_key: 
-specification_version: 3
+specification_version: 4
 summary: Security vulnerability scanner for Ruby on Rails.
 test_files: []
-