brakeman 1.8.1 → 1.8.2

data/CHANGES

@@ -0,0 +1,378 @@
+# 1.8.2
+
+ * Fixed rescanning problems caused by 1.8.0 changes
+ * Fix scope calls with single argument
+ * Report specific model name in rendered collections
+ * Handle overwritten JSON escape settings
+ * Much improved test coverage
+ * Add CHANGES to gemspec
+
+# 1.8.1
+
+ * Recover from errors in output formatting
+ * Fix false positive in redirect_to (Neil Matatall)
+ * Fix problems with removal of `Sexp#method_missing`
+ * Fix array indexing in alias processing
+ * Fix old mail_to vulnerability check
+ * Fix rescans when only controller action changes
+ * Allow comparison of versions with unequal lengths
+ * Handle super calls with blocks
+ * Respect `-q` flag for "Rails 3 detected" message
+
+# 1.8.0
+
+ * Support relative paths in reports (fsword)
+ * Allow Brakeman to be run without tty (fsword)
+ * Fix exit code with `--compare` (fsword)
+ * Fix `--rake` option (Deepak Kumar)
+ * Add high confidence warnings for `to_json` XSS (Neil Matatall)
+ * Fix `redirect_to` false negative
+ * Fix duplicate warnings with `raw` calls
+ * Fix shadowing of rendered partials
+ * Add "render chain" to HTML reports
+ * Add check for XSS in `content_tag`
+ * Add full backtrace for errors in debug mode
+ * Treat model attributes in `or` expressions as immediate values
+ * Switch to method access for Sexp nodes
+
+# 1.7.1
+
+ * Add check for CVE-2012-3463
+ * Add check for CVE-2012-3464
+ * Add check for CVE-2012-3465
+ * Add charset to HTML report (hooopo)
+ * Report XSS in select() for Rails 2
+
+# 1.7.0
+
+ * Add check for CVE-2012-3424
+ * Link report types to descriptions on website
+ * Report errors raised while running check
+ * Improve processing of Rails 3 routes
+ * Fix "empty char-class" error
+ * Improve file access check
+ * Avoid warning on non-ActiveModel models
+ * Speed improvements by stripping down SexpProcessor
+ * Fix how `params[:x] ||=` is handled
+ * Treat user input in `or` expressions as immediate values
+ * Fix processing of negative array indexes
+ * Add line breaks to truncated table rows
+
+# 1.6.2
+
+ * Add checks for CVE-2012-2660, CVE-2012-2661, CVE-2012-2694, CVE-2012-2695 (Dave Worth)
+ * Avoid warning when redirecting to a model instance
+ * Add `request.parameters` as a parameters hash
+ * Raise confidence level for model attributes in redirects
+ * Return non-zero exit code when missing dependencies
+ * Fix `before_filter :except` logic
+ * Only accept symbol literals as before_filter names
+ * Cache before_filter lookups
+ * Turn off quiet mode by default for `--compare`
+
+# 1.6.1
+
+ * Major rewrite of CheckSQL
+ * Fix rescanning of deleted templates
+ * Process actions mixed into controllers
+ * Handle `render :template => ...`
+ * Check for inherited attr_accessible (Neil Matatall)
+ * Fix highlighting of HTML escaped values in HTML report
+ * Report line number of highlighted value, if available
+
+# 1.6.0
+
+ * Remove the Ruport dependency (Neil Matatall)
+ * Add more informational JSON output (Neil Matatall)
+ * Add comparison to previous JSON report (Neil Matatall)
+ * Add highlighting of dangerous values in HTML/text reports
+ * Model#update_attribute should not raise mass assignment warning (Dave Worth)
+ * Don't check `find_by_*` method for SQL injection
+ * Fix duplicate reporting of mass assignment and SQL injection
+ * Fix rescanning of deleted files 
+ * Properly check for rails_xss in Gemfile
+
+# 1.5.3
+
+ * Add check for user input in Object#send (Neil Matatall)
+ * Handle render :layout in views
+ * Support output to multiple formats (Nick Green)
+ * Prevent infinite loops in mutually recursive templates
+ * Only check eval arguments for user input, not targets
+ * Search subdirectories for models
+ * Set values in request hashes and propagate to views
+ * Add rake task file to gemspec (Anton Ageev)
+ * Filter rescanning of templates (Neil Matatall)
+ * Improve handling of modules and nesting
+ * Test for zero errors in test reports
+
+# 1.5.2
+
+ * Fix link_to checks for Rails 2.0 and 2.3
+ * Fix rescanning of lib files (Neil Matatall)
+ * Output stack trace on interrupt when debugging
+ * Ignore user input in if statement conditions
+ * Fix --skip-files option
+ * Only warn on user input in render paths
+ * Fix handling of views when using rails_xss
+ * Revert to ruby_parser 2.3.1 for Ruby 1.8 parsing
+
+# 1.5.1
+
+ * Fix detection of global mass assignment setting
+ * Fix partial rendering in Rails 3
+ * Show backtrace when interrupt received (Ruby 1.9 only)
+ * More debug output
+ * Remove duplicate method in Brakeman::Rails2XSSErubis
+ * Add tracking of module and class to Brakeman::BaseProcessor
+ * Report module when using Brakeman::FindCall
+
+# 1.5.0
+
+ * Add version check for SafeBuffer vulnerability
+ * Add check for select vulnerability in Rails 3
+ * select() is no longer considered safe in Rails 2
+ * Add check for skipping CSRF protection with a blacklist
+ * Add JSON report format
+ * Model#id should not be considered XSS
+ * Standardize methods to check for SQL injection
+ * Fix Rails 2 route parsing issue with nested routes
+
+# 1.4.0
+
+ * Add check for user input in link_to href parameter
+ * Match ERB processing to rails_xss plugin when plugin used
+ * Add Brakeman::Report#to_json, Brakeman::Warning#to_json
+ * Warnings below minimum confidence are dropped completely
+ * Brakeman.run always returns a Tracker
+
+# 1.3.0
+
+ * Add file paths to HTML report
+ * Add caching of filters
+ * Add --skip-files option
+ * Add support for attr_protected
+ * Add detection of request.env as user input
+ * Descriptions of checks in -k output
+ * Improved processing of named scopes
+ * Check for mass assignment in ActiveRecord::Associations::AssociationCollection#build
+ * Better variable substitution
+ * Table output option for rescan reports
+
+# 1.2.2
+
+ * --no-progress works again
+ * Make CheckLinkTo a separate check
+ * Don't fail on unknown options to resource(s)
+ * Handle empty resource(s) blocks
+ * Add RescanReport#existing_warnings
+
+## 1.2.1
+
+ * Remove link_to warning for Rails 3.x or when using rails_xss
+ * Don't warn if first argument to link_to is escaped
+ * Detect usage of attr_accessible with no arguments
+ * Fix error when rendering a partial from a view but not through a controller
+ * Fix some issues with rails_xss, CheckCrossSiteScripting, and CheckTranslateBug
+ * Simplify Brakeman Rake task
+ * Avoid modifying $VERBOSE
+ * Add Brakeman::RescanReport#to_s
+ * Add Brakeman::Warning#to_s
+
+## 1.2.0
+
+ * Speed improvements for CheckExecute and CheckRender
+ * Check named_scope() and scope() for SQL injection
+ * Add --rake option to create rake task to run Brakeman
+ * Add experimental support for rescanning a subset of files
+ * Add --summary option to only output summary
+ * Fix a problem with Rails 3 routes
+
+## 1.1.0
+
+ * Relax required versions for dependencies
+ * Performance improvements for source processing
+ * Better progress reporting
+ * Handle basic operators like << + - * /
+ * Rescue more errors to prevent complete crashes
+ * Compatibility with newer Haml versions
+ * Fix some warnings
+
+## 1.0.0
+
+ * Better handling of assignments inside ifs
+ * Check more expressions for SQL injection
+ * Use latest ruby_parser for better 1.9 syntax support
+ * Better behavior for Brakeman as a library
+
+## 1.0.0rc1
+
+ * Brakeman can now be used as a library
+ * Faster call search
+ * Add option to return error code if warnings are found (tw-ngreen)
+ * Allow truncated messages to be expanded in HTML
+ * Fix summary when using warning thresholds
+ * Better support for Rails 3 routes
+ * Reduce SQL injection duplicate warnings
+ * Lower confidence on mass assignment with no user input
+ * Ignore mass assignment using all literal arguments
+ * Keep expanded context in view with HTML output
+
+## 0.9.2
+
+ * Fix Rails 3 configuration parsing
+ * Add t() helper to check for translate XSS bug
+
+## 0.9.1
+
+ * Add warning for translator helper XSS vulnerability
+
+## 0.9.0
+
+ * Process Rails 3 configuration files
+ * Fix CSV output
+ * Check for config.active_record.whitelist_attributes = true
+ * Always produce a warning for without_protection => true
+
+## 0.8.4
+
+ * Option for separate attr_accessible warnings
+ * Option to set CSS file for HTML output
+ * Add file names for version-specific warnings
+ * Add line number for default routes in a controller
+ * Fix hash_insert()
+ * Remove use of Queue from threaded checks
+
+## 0.8.3
+ 
+ * Respect -w flag in .tabs format (tw-ngreen)
+ * Escape HTML output of error messages
+ * Add --skip-libs option
+
+## 0.8.2
+
+ * Run checks in parallel threads by default
+ * Fix compatibility with ruby_parser 2.3.1
+
+## 0.8.1
+
+ * Add option to assume all controller methods are actions
+ * Recover from errors when parsing routes
+
+## 0.8.0
+
+ * Add check for mass assignment using without_protection
+ * Add check for password in http_basic_authenticate_with
+ * Warn on user input in hash argument with mass assignment
+ * auto_link is now considered safe for Rails >= 3.0.6
+ * Output detected Rails version in report
+ * Keep track of methods called in class definition
+ * Add ruby_parser hack for Ruby 1.9 hash syntax
+ * Add a few Rails 3.1 tests
+
+## 0.7.2
+
+ * Fix handling of params and cookies with nested access
+ * Add CVEs for checks added in 0.7.0
+
+## 0.7.1
+
+ * Require BaseProcessor for GemProcessor
+
+## 0.7.0
+
+ * Allow local variable as a class name
+ * Add checks for vulnerabilities fixed in Rails 2.3.14 and 3.0.10
+ * Check for default routes in Rails 3 apps
+ * Look in Gemfile or Gemfile.lock for Rails version
+
+## 0.6.1
+
+ * Fix XSS check for cookies as parameters in output
+ * Don't bother calling super in CheckSessionSettings
+ * Add escape_once as a safe method
+ * Accept '\Z' or '\z' in model validations
+
+## 0.6.0
+
+ * Tests are in place and fully functional
+ * Hide errors by default in HTML output
+ * Warn if routes.rb cannot be found
+ * Narrow methods assumed to be file access
+ * Increase confidence for methods known to not escape output
+ * Fixes to output processing for Erubis
+ * Fixes for Rails 3 XSS checks
+ * Fixes to line numbers with Erubis
+ * Fixes to escaped output scanning
+ * Update CSRF CVE-2011-0447 message to be less assertive
+
+## 0.5.2
+
+ * Output report file name when finished
+ * Add initial tests for Rails 2.x
+ * Fix ERB line numbers when using Ruby 1.9
+
+## 0.5.1
+
+ * Fix issue with 'has_one' => in routes
+
+## 0.5.0
+
+  * Add support for routes like get 'x/y', :to => 'ctrlr#whatever'
+  * Allow empty blocks in Rails 3 routes
+  * Check initializer for session settings
+  * Add line numbers to session setting warnings
+  * Add --checks option to list checks
+
+## 0.4.1
+  
+  * Fix reported line numbers when using new Erubis parser
+    (Mostly affects Rails 3 apps)
+
+## 0.4.0
+
+  * Handle Rails XSS protection properly
+  * More detection options for rails_xss
+  * Add --escape-html option 
+
+## 0.3.2  
+
+  * Autodetect Rails 3 applications
+  * Turn on auto-escaping for Rails 3 apps
+  * Check Model.create() for mass assignment
+
+## 0.3.1
+
+  * Always output a line number in tabbed output format
+  * Restrict characters in category name in tabbed output format to
+    word characters and spaces, for Hudson/Jenkins plugin
+
+## 0.3.0
+
+  * Check for SQL injection in calls using constantize()
+  * Check for SQL injection in calls to count_by_sql()
+
+## 0.2.2
+
+  * Fix version_between? when no Rails version is specified
+
+## 0.2.1
+
+  * Add code snippet to tab output messages
+
+## 0.2.0
+
+  * Add check for mail_to vulnerability - CVE-2011-0446
+  * Add check for CSRF weakness - CVE-2011-0447
+
+## 0.1.1
+
+  * Be more permissive with ActiveSupport version
+
+## 0.1.0
+
+  * Check link_to for XSS (because arguments are not escaped)
+  * Process layouts better (although not perfectly yet)
+  * Load custom Haml filters if they are in lib/
+  * Tab separated output via .tabs output extension
+  * Switch to normal versioning scheme

data/README.md

@@ -153,10 +153,10 @@ The `-c` option can be used to specify a configuration file to use.
 
 The MIT License
 
-Copyright (c) 2010-2012, YELLOWPAGES.COM, LLC
-
 Copyright (c) 2012, Twitter, Inc.
 
+Copyright (c) 2010-2012, YELLOWPAGES.COM, LLC
+
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights

data/lib/brakeman/call_index.rb

@@ -67,10 +67,10 @@ class Brakeman::CallIndex
     calls
   end
 
-  def remove_template_indexes
+  def remove_template_indexes template_name = nil
     @calls_by_method.each do |name, calls|
       calls.delete_if do |call|
-        call[:location][0] == :template
+        from_template call, template_name
       end
 
       @methods.delete name.to_s if calls.empty?
@@ -78,7 +78,7 @@ class Brakeman::CallIndex
 
     @calls_by_target.each do |name, calls|
       calls.delete_if do |call|
-        call[:location][0] == :template
+        from_template call, template_name
       end
 
       @targets.delete name.to_s if calls.empty?
@@ -237,4 +237,10 @@ class Brakeman::CallIndex
       end
     end
   end
+
+  def from_template call, template_name
+    return false unless call[:location][0] == :template
+    return true if template_name.nil?
+    call[:location][1] == template_name
+  end
 end

data/lib/brakeman/checks/check_cross_site_scripting.rb

@@ -31,7 +31,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
 
   CGI = Sexp.new(:const, :CGI)
 
-  FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist)) 
+  FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new, Sexp.new(:arglist))
 
   #Run check
   def run_check
@@ -58,8 +58,9 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
       @known_dangerous << :strip_tags
     end
 
-    matches = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
-    json_escape_on = matches.detect {|result| true? result[-1].first_arg}
+    json_escape_on = false
+    initializers = tracker.check_initializers :ActiveSupport, :escape_html_entities_in_json=
+    initializers.each {|result| json_escape_on = true?(result[-1].first_arg) }
 
     if !json_escape_on or version_between? "0.0.0", "2.0.99"
       @known_dangerous << :to_json
@@ -107,7 +108,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         message = "Unescaped user input value"
       end
 
-      warn :template => @current_template, 
+      warn :template => @current_template,
         :warning_type => "Cross Site Scripting",
         :message => message,
         :code => input.match,
@@ -128,13 +129,13 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
         message = "Unescaped model attribute"
         link_path = "cross_site_scripting"
         if node_type?(out, :call, :attrasgn) && out.method == :to_json
-          message += " in JSON hash" 
+          message += " in JSON hash"
           link_path += "_to_json"
         end
 
         code = find_chain out, match
         warn :template => @current_template,
-          :warning_type => "Cross Site Scripting", 
+          :warning_type => "Cross Site Scripting",
           :message => message,
           :code => code,
           :confidence => confidence,
@@ -203,7 +204,7 @@ class Brakeman::CheckCrossSiteScripting < Brakeman::BaseCheck
           end
 
           warn :template => @current_template,
-            :warning_type => "Cross Site Scripting", 
+            :warning_type => "Cross Site Scripting",
             :message => message,
             :code => exp,
             :user_input => @matched.match,

data/lib/brakeman/checks/check_sql.rb

@@ -72,6 +72,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
           model[:options][:scope].each do |args|
             second_arg = args[2]
 
+            next unless sexp? second_arg
+
             if second_arg.node_type == :iter and node_type? second_arg.block, :block, :call
               process_scope_with_block name, args
             elsif second_arg.node_type == :call

data/lib/brakeman/processors/lib/render_helper.rb

@@ -109,7 +109,9 @@ module Brakeman::RenderHelper
           end
         end
 
-        template_env[Sexp.new(:call, nil, variable, Sexp.new(:arglist))] = Sexp.new(:call, Sexp.new(:const, Brakeman::Tracker::UNKNOWN_MODEL), :new, Sexp.new(:arglist))
+        collection = get_class_target(options[:collection]) || Brakeman::Tracker::UNKNOWN_MODEL
+
+        template_env[Sexp.new(:call, nil, variable, Sexp.new(:arglist))] = Sexp.new(:call, Sexp.new(:const, collection), :new, Sexp.new(:arglist))
       end
 
       #Set original_line for values so it is clear
@@ -154,4 +156,16 @@ module Brakeman::RenderHelper
 
     options
   end
+
+  def get_class_target sexp
+    if call? sexp
+      get_class_target sexp.target
+    else
+      begin
+        class_name sexp
+      rescue
+        nil
+      end
+    end
+  end
 end

data/lib/brakeman/rescanner.rb

@@ -80,7 +80,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
     when :model
       rescan_model path
     when :lib
-      process_lib path
+      rescan_lib path
     when :config
       process_config
     when :initializer
@@ -115,8 +115,9 @@ class Brakeman::Rescanner < Brakeman::Scanner
     #from the controller
     tracker.controllers.each do |name, controller|
       if controller[:file] == path
-        tracker.templates.keys.each do |template_name|
-          if template_name.to_s.match /(.+)\.#{name}#/
+        tracker.templates.each do |template_name, template|
+          next unless template[:caller]
+          unless template[:caller].grep(/^#{name}#/).empty?
             tracker.reset_template template_name
           end
         end
@@ -138,24 +139,23 @@ class Brakeman::Rescanner < Brakeman::Scanner
 
     rescan = Set.new
 
-    rendered_from_controller = /^#{template_name}\.(.+Controller)#(.+)/
-    rendered_from_view = /^#{template_name}\.Template:(.+)/
+    template_matcher = /^Template:(.+)/
+    controller_matcher = /^(.+Controller)#(.+)/
+    template_name_matcher = /^#{template_name}\./
 
     #Search for processed template and process it.
     #Search for rendered versions of template and re-render (if necessary)
     tracker.templates.each do |name, template|
       if template[:file] == path or template[:file].nil?
-       name = name.to_s
-
-       if name.match(rendered_from_controller)
-         #Rendered from controller, so reprocess controller
-
-         rescan << [:controller, $1.to_sym, $2.to_sym]
-       elsif name.match(rendered_from_view)
-         #Rendered from another template, so reprocess that template
+        next unless template[:caller] and name.to_s.match(template_name_matcher)
 
-         rescan << [:template, $1.to_sym]
-       end
+        template[:caller].each do |from|
+          if from.match(template_matcher)
+            rescan << [:template, $1.to_sym]
+          elsif from.match(controller_matcher)
+            rescan << [:controller, $1.to_sym, $2.to_sym]
+          end
+        end
       end
     end
 
@@ -189,6 +189,21 @@ class Brakeman::Rescanner < Brakeman::Scanner
     @reindex << :models
   end
 
+  def rescan_lib path
+    process_lib path if File.exists? path
+
+    lib = nil
+
+    tracker.libs.each do |name, library|
+      if library[:file] == path
+        lib = library
+        break
+      end
+    end
+
+    rescan_mixin lib if lib
+  end
+
   #Handle rescanning when a file is deleted
   def rescan_deleted_file path, type
     case type
@@ -214,21 +229,7 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def rescan_deleted_controller path
-    #Remove from controller
-    tracker.controllers.delete_if do |name, controller|
-      if controller[:file] == path
-        template_matcher = /(.+)\.#{name}#/
-
-        #Remove templates rendered from this controller
-        tracker.templates.keys.each do |template_name|
-          if template_name.to_s.match template_matcher
-            tracker.reset_template template_name
-          end
-        end
-
-        true
-      end
-    end
+    tracker.reset_controller path
   end
 
   def rescan_deleted_template path
@@ -255,9 +256,16 @@ class Brakeman::Rescanner < Brakeman::Scanner
   end
 
   def rescan_deleted_lib path
+    deleted_lib = nil
+
     tracker.libs.delete_if do |name, lib|
-      lib[:path] == path
+      if lib[:file] == path
+        deleted_lib = lib
+        true
+      end
     end
+
+    rescan_mixin deleted_lib if deleted_lib
   end
 
   def rescan_deleted_initializer path
@@ -304,6 +312,51 @@ class Brakeman::Rescanner < Brakeman::Scanner
       :unknown
     end
   end
+
+  def rescan_mixin lib
+    method_names = []
+
+    [:public, :private, :protected].each do |access|
+      lib[access].each do |name, meth|
+        method_names << name
+      end
+    end
+
+    method_matcher = /##{method_names.join('|')}$/
+
+    #Rescan controllers that mixed in library
+    tracker.controllers.each do |name, controller|
+      if controller[:includes].include? lib[:name]
+        unless @paths.include? controller[:file]
+          rescan_file controller[:file]
+        end
+      end
+    end
+
+    to_rescan = []
+
+    #Check if a method from this mixin was used to render a template.
+    #This is not precise, because a different controller might have the
+    #same method...
+    tracker.templates.each do |name, template|
+      next unless template[:caller]
+
+      unless template[:caller].grep(method_matcher).empty?
+        name.to_s.match /^([^.]+)/
+
+        original = tracker.templates[$1.to_sym]
+
+        if original
+          to_rescan << [name, original[:file]]
+        end
+      end
+    end
+
+    to_rescan.each do |template|
+      tracker.reset_template template[0]
+      rescan_file template[1]
+    end
+  end
 end
 
 #Class to make reporting of rescan results simpler to deal with
@@ -381,7 +434,7 @@ New warnings: #{new_warnings.length}
               w["Confidence"] = Brakeman::Report::TEXT_CONFIDENCE[w["Confidence"]]
 
               t << [w["Confidence"], w["Class"], w["Method"], w["Warning Type"], w["Message"]]
-            end            
+            end
           end
           out << truncate_table(table.to_s)
         end

data/lib/brakeman/tracker.rb

@@ -84,7 +84,7 @@ class Brakeman::Tracker
     end
   end
 
-  #Iterates over each template, yielding the name and the template. 
+  #Iterates over each template, yielding the name and the template.
   #Prioritizes templates which have been rendered.
   def each_template
     if @processed.nil?
@@ -130,7 +130,7 @@ class Brakeman::Tracker
   def check_initializers target, method
     finder = Brakeman::FindCall.new target, method, self
 
-    initializers.each do |name, initializer|
+    initializers.sort.each do |name, initializer|
       finder.process_source initializer
     end
 
@@ -236,6 +236,7 @@ class Brakeman::Tracker
     @templates.delete name
     @processed = nil
     @rest = nil
+    @template_cache.clear
   end
 
   #Clear information related to model
@@ -252,6 +253,28 @@ class Brakeman::Tracker
     @models.delete model_name
   end
 
+  def reset_controller path
+    #Remove from controller
+    @controllers.delete_if do |name, controller|
+      if controller[:file] == path
+        template_matcher = /^#{name}#/
+
+        #Remove templates rendered from this controller
+        @templates.each do |template_name, template|
+          if template[:caller] and not template[:caller].grep(template_matcher).empty?
+            reset_template template_name
+            @call_index.remove_template_indexes template_name
+          end
+        end
+
+        #Remove calls indexed from this controller
+        @call_index.remove_indexes_by_class [name]
+
+        true
+      end
+    end
+  end
+
   #Clear information about routes
   def reset_routes
     @routes = {}

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "1.8.1"
+  Version = "1.8.2"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: brakeman
 version: !ruby/object:Gem::Version 
-  hash: 53
+  hash: 51
   prerelease: 
   segments: 
   - 1
   - 8
-  - 1
-  version: 1.8.1
+  - 2
+  version: 1.8.2
 platform: ruby
 authors: 
 - Justin Collins
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-09-24 00:00:00 Z
+date: 2012-10-17 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: activesupport
@@ -190,6 +190,7 @@ extra_rdoc_files: []
 
 files: 
 - bin/brakeman
+- CHANGES
 - WARNING_TYPES
 - FEATURES
 - README.md