brakeman 3.3.3 → 3.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 08318cd38973d83265973cfcaffb09907d92bc25
-  data.tar.gz: f147beaa68bf28730c008478c98e666480d58ada
+  metadata.gz: 303404ce254faef92c6448e30750b9253d06bc60
+  data.tar.gz: 14be3eeb1a8c01649ec41f65a3a713b7f9c061a2
 SHA512:
-  metadata.gz: d7fd63e6289c6019accc98f91b5a8d6d10d610d8b5829a73641a89930097b80979a5143c8c5688662dbc367532d3d62cc68dbc6352322a66decce9d76e4f8570
-  data.tar.gz: 46bd51e6d4b76c8d8d0120cc9932bd0987800b03e0b2eb7eff7d97c127a88811d8859bdfc6dbb6d00bcc05d112b1d6b4fdb69e175b171293b5a1b11cee4c2f25
+  metadata.gz: 3d0ce8d075f1e4e3e196a34d135bb87467c1f44ab10cdb86f388521521af5f8c88e94f76ee58f79a87f806c7b79db029bdb77e411e69d48bf25633ef562f3b8a
+  data.tar.gz: 1658b7d8b20c07b7df8cd2fadb50c71efa1202facac77d3730a6a23969c307c780331d0f09a4e8e5b28a666a6725fd1f4f589eb987312b3f4a07341a3f60f6bc

data/CHANGES

@@ -1,3 +1,10 @@
+# 3.3.4
+
+* Add generic warning for CVE-2016-6316
+* Warn about dangerous use of `content_tag` with CVE-2016-6316
+* Add warning for CVE-2016-6317
+* Use Minitest
+
 # 3.3.3
 
 * Show path when no Rails app found (Neil Matatall)

data/lib/brakeman/app_tree.rb

@@ -53,6 +53,7 @@ module Brakeman
 
     def initialize(root, init_options = {})
       @root = root
+      @project_root_path = Pathname.new(@root)
       @skip_files = init_options[:skip_files]
       @only_files = init_options[:only_files]
       @additional_libs_path = init_options[:additional_libs_path] || []
@@ -133,34 +134,31 @@ module Brakeman
 
     def select_only_files(paths)
       return paths unless @only_files
-      project_root  = Pathname.new(@root)
+
       paths.select do |path|
-        absolute_path = Pathname.new(path)
-        # relative root never has a leading separator. But, we use a leading
-        # separator in a @skip_files entry to imply that a directory is
-        # "absolute" with respect to the project directory.
-        project_relative_path = File.join(
-          File::SEPARATOR,
-          absolute_path.relative_path_from(project_root).to_s
-        )
-        @only_files.match(project_relative_path)
+        match_path @only_files, path
       end
     end
 
     def reject_skipped_files(paths)
       return paths unless @skip_files
-      project_root  = Pathname.new(@root)
+
       paths.reject do |path|
-        absolute_path = Pathname.new(path)
-        # relative root never has a leading separator. But, we use a leading
-        # separator in a @skip_files entry to imply that a directory is
-        # "absolute" with respect to the project directory.
-        project_relative_path = File.join(
-          File::SEPARATOR,
-          absolute_path.relative_path_from(project_root).to_s
-        )
-        @skip_files.match(project_relative_path)
+        match_path @skip_files, path
       end
     end
+
+    def match_path files, path
+      absolute_path = Pathname.new(path)
+      # relative root never has a leading separator. But, we use a leading
+      # separator in a @skip_files entry to imply that a directory is
+      # "absolute" with respect to the project directory.
+      project_relative_path = File.join(
+        File::SEPARATOR,
+        absolute_path.relative_path_from(@project_root_path).to_s
+      )
+
+      files.match(project_relative_path)
+    end
   end
 end

data/lib/brakeman/checks/check_content_tag.rb

@@ -28,16 +28,18 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
                            :will_paginate].merge tracker.options[:safe_methods]
 
     @known_dangerous = []
-    methods = tracker.find_call :target => false, :method => :content_tag
+    @content_tags = tracker.find_call :target => false, :method => :content_tag
 
     @models = tracker.models.keys
     @inspect_arguments = tracker.options[:check_arguments]
     @mark = nil
 
     Brakeman.debug "Checking for XSS in content_tag"
-    methods.each do |call|
+    @content_tags.each do |call|
       process_result call
     end
+
+    check_cve_2016_6316
   end
 
   def process_result result
@@ -73,7 +75,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
     #By default, content_tag escapes attribute values passed in as a hash.
     #But this behavior can be disabled. So only check attributes hash
     #if they are explicitly not escaped.
-    if not @matched and attributes and false? escape_attr
+    if not @matched and attributes and (false? escape_attr or cve_2016_6316?)
       if request_value? attributes or not hash? attributes
         check_argument result, attributes
       else #check hash values
@@ -87,7 +89,7 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
 
   def check_argument result, exp
     #Check contents of raw() calls directly
-    if call? exp and exp.method == :raw
+    if raw? exp
       arg = process exp.first_arg
     else
       arg = process exp
@@ -154,7 +156,45 @@ class Brakeman::CheckContentTag < Brakeman::CheckCrossSiteScripting
     exp
   end
 
+  def check_cve_2016_6316
+    if cve_2016_6316?
+      confidence = if @content_tags.any?
+                     CONFIDENCE[:high]
+                   else
+                     CONFIDENCE[:med]
+                   end
+
+      fix_version = case
+                    when version_between?("3.0.0", "3.2.22.3")
+                      "3.2.22.4"
+                    when version_between?("4.0.0", "4.2.7.0")
+                      "4.2.7.1"
+                    when version_between?("5.0.0", "5.0.0")
+                      "5.0.0"
+                    when (version.nil? and tracker.options[:rails3])
+                      "3.2.22.4"
+                    when (version.nil? and tracker.options[:rails4])
+                      "4.2.7.2"
+                    else
+                      return
+                    end
+
+      warn :warning_type => "Cross Site Scripting",
+        :warning_code => :CVE_2016_6316,
+        :message => "Rails #{rails_version} content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to #{fix_version}",
+        :confidence => confidence,
+        :gem_info => gemfile_or_environment,
+        :link_path => "https://groups.google.com/d/msg/ruby-security-ann/8B2iV2tPRSE/JkjCJkSoCgAJ"
+    end
+  end
+
   def raw? exp
     call? exp and exp.method == :raw
   end
+
+  def cve_2016_6316?
+    version_between? "3.0.0", "3.2.22.3" or
+    version_between? "4.0.0", "4.2.7.0" or
+    version_between? "5.0.0", "5.0.0.0"
+  end
 end

data/lib/brakeman/checks/check_forgery_setting.rb

@@ -14,61 +14,54 @@ class Brakeman::CheckForgerySetting < Brakeman::BaseCheck
     return unless app_controller and app_controller.ancestor? :"ActionController::Base"
 
     if tracker.config.allow_forgery_protection?
-      warn :controller => :ApplicationController,
-        :warning_type => "Cross-Site Request Forgery",
-        :warning_code => :csrf_protection_disabled,
-        :message => "Forgery protection is disabled",
-        :confidence => CONFIDENCE[:high],
-        :file => app_controller.file
+      csrf_warning :warning_code => :csrf_protection_disabled,
+        :message => "Forgery protection is disabled"
 
     elsif app_controller and not app_controller.protect_from_forgery?
-
-      warn :controller => :ApplicationController,
-        :warning_type => "Cross-Site Request Forgery",
-        :warning_code => :csrf_protection_missing,
+      csrf_warning :warning_code => :csrf_protection_missing,
         :message => "'protect_from_forgery' should be called in ApplicationController",
-        :confidence => CONFIDENCE[:high],
-        :file => app_controller.file,
         :line => app_controller.top_line
 
     elsif version_between? "2.1.0", "2.3.10"
-
-      warn :controller => :ApplicationController,
-        :warning_type => "Cross-Site Request Forgery",
-        :warning_code => :CVE_2011_0447,
-        :message => "CSRF protection is flawed in unpatched versions of Rails #{rails_version} (CVE-2011-0447). Upgrade to 2.3.11 or apply patches as needed",
-        :confidence => CONFIDENCE[:high],
-        :gem_info => gemfile_or_environment,
-        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"
+      cve_2011_0447 "2.3.11"
 
     elsif version_between? "3.0.0", "3.0.3"
+      cve_2011_0447 "3.0.4"
 
-      warn :controller => :ApplicationController,
-        :warning_type => "Cross-Site Request Forgery",
-        :warning_code => :CVE_2011_0447,
-        :message => "CSRF protection is flawed in unpatched versions of Rails #{rails_version} (CVE-2011-0447). Upgrade to 3.0.4 or apply patches as needed",
-        :confidence => CONFIDENCE[:high],
-        :gem_info => gemfile_or_environment,
-        :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"
     elsif version_between? "4.0.0", "100.0.0" and forgery_opts = app_controller.options[:protect_from_forgery]
-
       unless forgery_opts.is_a?(Array) and sexp?(forgery_opts.first) and
           access_arg = hash_access(forgery_opts.first.first_arg, :with) and symbol? access_arg and
           access_arg.value == :exception
 
         args = {
-          :controller => :ApplicationController,
-          :warning_type => "Cross-Site Request Forgery",
           :warning_code => :csrf_not_protected_by_raising_exception,
           :message => "protect_from_forgery should be configured with 'with: :exception'",
-          :confidence => CONFIDENCE[:med],
-          :file => app_controller.file
+          :confidence => CONFIDENCE[:med]
         }
 
         args.merge!(:code => forgery_opts.first) if forgery_opts.is_a?(Array)
 
-        warn args
+        csrf_warning args
       end
     end
   end
+
+  def csrf_warning opts
+    opts = {
+      :controller => :ApplicationController,
+      :warning_type => "Cross-Site Request Forgery",
+      :confidence => CONFIDENCE[:high],
+      :file => tracker.controllers[:ApplicationController].file
+    }.merge opts
+
+    warn opts
+  end
+
+  def cve_2011_0447 new_version
+    csrf_warning :warning_code => :CVE_2011_0447,
+      :message => "CSRF protection is flawed in unpatched versions of Rails #{rails_version} (CVE-2011-0447). Upgrade to #{new_version} or apply patches as needed",
+      :gem_info => gemfile_or_environment,
+      :file => nil,
+      :link_path => "https://groups.google.com/d/topic/rubyonrails-security/LZWjzCPgNmU/discussion"
+  end
 end

data/lib/brakeman/checks/check_sql_cves.rb

@@ -37,6 +37,11 @@ class Brakeman::CheckSQLCVEs < Brakeman::BaseCheck
         :versions => [%w[2.0.0 2.3.15 2.3.16], %w[3.0.0 3.0.18 3.0.19], %w[3.1.0 3.1.9 3.1.10], %w[3.2.0 3.2.10 3.2.11]],
         :url => "https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"
       },
+      {
+        :cve => "CVE-2016-6317",
+        :versions => [%w[4.2.0 4.2.7.0 4.2.7.1]],
+        :url => "https://groups.google.com/d/msg/ruby-security-ann/WccgKSKiPZA/9DrsDVSoCgAJ"
+      },
 
     ]
 

data/lib/brakeman/checks/check_symbol_dos.rb

@@ -8,7 +8,7 @@ class Brakeman::CheckSymbolDoS < Brakeman::BaseCheck
   @description = "Checks for symbol denial of service"
 
   def run_check
-    return if rails_version and rails_version > "5.0.0"
+    return if rails_version and rails_version >= "5.0.0"
 
     tracker.find_call(:methods => UNSAFE_METHODS, :nested => true).each do |result|
       check_unsafe_symbol_creation(result)

data/lib/brakeman/processors/alias_processor.rb

@@ -522,18 +522,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
       exp.rhs = process exp.rhs
     end
 
-    file = case
-           when @file_name
-             @file_name
-           when @current_class.is_a?(Brakeman::Collection)
-             @current_class.file
-           when @current_module.is_a?(Brakeman::Collection)
-             @current_module.file
-           else
-             nil
-           end
-
-    @tracker.add_constant exp.lhs, exp.rhs, :file => file if @tracker
+    @tracker.add_constant exp.lhs, exp.rhs, :file => current_file_name if @tracker
 
     if exp.lhs.is_a? Symbol
       match = Sexp.new(:const, exp.lhs)

data/lib/brakeman/processors/base_processor.rb

@@ -183,18 +183,7 @@ class Brakeman::BaseProcessor < Brakeman::SexpProcessor
   end
 
   def process_cdecl exp
-    file = case
-           when @file_name
-             @file_name
-           when @current_class.is_a?(Brakeman::Collection)
-             @current_class.file
-           when @current_module.is_a?(Brakeman::Collection)
-             @current_module.file
-           else
-             nil
-           end
-
-    @tracker.add_constant exp.lhs, exp.rhs, :file => file if @tracker
+    @tracker.add_constant exp.lhs, exp.rhs, :file => current_file_name if @tracker
     exp
   end
 

data/lib/brakeman/processors/lib/processor_helper.rb

@@ -72,4 +72,17 @@ module Brakeman::ProcessorHelper
       false
     end
   end
+
+  def current_file_name
+    case
+    when @file_name
+      @file_name
+    when @current_class.is_a?(Brakeman::Collection)
+      @current_class.file
+    when @current_module.is_a?(Brakeman::Collection)
+      @current_module.file
+    else
+      nil
+    end
+  end
 end

data/lib/brakeman/processors/library_processor.rb

@@ -42,19 +42,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
     exp
   end
 
-  def process_defs exp
-    exp = @alias_processor.process exp
-
-    if @current_class
-      exp.body = process_all! exp.body
-      @current_class.add_method :public, exp.method_name, exp, @file_name
-    elsif @current_module
-      exp.body = process_all! exp.body
-      @current_module.add_method :public, exp.method_name, exp, @file_name
-    end
-
-    exp
-  end
+  alias process_defs process_defn
 
   def process_call exp
     if process_call_defn? exp

data/lib/brakeman/processors/output_processor.rb

@@ -86,55 +86,23 @@ class Brakeman::OutputProcessor < Ruby2Ruby
   end
 
   def process_output exp
-    out = if exp[0].node_type == :str
-            ""
-          else
-            res = process exp[0]
-
-            if res == ""
-              ""
-            else
-              "[Output] #{res}"
-            end
-          end
-    exp.clear
-    out
+    output_format exp, "Output"
   end
 
   def process_escaped_output exp
-    out = if exp[0].node_type == :str
-            ""
-          else
-            res = process exp[0]
-
-            if res == ""
-              ""
-            else
-              "[Escaped Output] #{res}"
-            end
-          end
-    exp.clear
-    out
+    output_format exp, "Escaped Output"
   end
 
 
   def process_format exp
-    out = if exp[0].node_type == :str or exp[0].node_type == :ignore
-            ""
-          else
-            res = process exp[0]
-
-            if res == ""
-              ""
-            else
-              "[Format] #{res}"
-            end
-          end
-    exp.clear
-    out
+    output_format exp, "Format"
   end
 
   def process_format_escaped exp
+    output_format exp, "Escaped"
+  end
+
+  def output_format exp, tag
     out = if exp[0].node_type == :str or exp[0].node_type == :ignore
             ""
           else
@@ -143,7 +111,7 @@ class Brakeman::OutputProcessor < Ruby2Ruby
             if res == ""
               ""
             else
-              "[Escaped] #{res}"
+              "[#{tag}] #{res}"
             end
           end
     exp.clear

data/lib/brakeman/report/report_markdown.rb

@@ -1,6 +1,6 @@
-Brakeman.load_brakeman_dependency 'terminal-table'
+require 'brakeman/report/report_table'
 
-class Brakeman::Report::Markdown < Brakeman::Report::Base
+class Brakeman::Report::Markdown < Brakeman::Report::Table
 
   class MarkdownTable < Terminal::Table
 
@@ -21,6 +21,11 @@ class Brakeman::Report::Markdown < Brakeman::Report::Base
 
   end
 
+  def initialize *args
+    super
+    @table = MarkdownTable
+  end
+
   def generate_report
     out = "# BRAKEMAN REPORT\n\n" <<
     generate_metadata.to_s << "\n\n" <<
@@ -42,22 +47,19 @@ class Brakeman::Report::Markdown < Brakeman::Report::Base
       generate_templates.to_s << "\n\n"
     end
 
-    res = generate_errors
-    out << "### Errors\n\n" << res.to_s << "\n\n" if res
-
-    res = generate_warnings
-    out << "### SECURITY WARNINGS\n\n" << res.to_s << "\n\n" if res
+    output_table("Errors", generate_errors, out)
+    output_table("SECURITY WARNINGS", generate_warnings, out)
+    output_table("Controller Warnings:", generate_controller_warnings, out)
+    output_table("Model Warnings:", generate_model_warnings, out)
+    output_table("View Warnings:", generate_template_warnings, out)
 
-    res = generate_controller_warnings
-    out << "### Controller Warnings:\n\n" << res.to_s << "\n\n" if res
-
-    res = generate_model_warnings
-    out << "### Model Warnings:\n\n" << res.to_s << "\n\n" if res
+    out
+  end
 
-    res = generate_template_warnings
-    out << "### View Warnings:\n\n" << res.to_s << "\n\n" if res
+  def output_table title, result, output
+    return unless result
 
-    out
+    output << "### #{title}\n\n#{result.to_s}\n\n"
   end
 
   def generate_metadata
@@ -81,57 +83,6 @@ class Brakeman::Report::Markdown < Brakeman::Report::Base
     end
   end
 
-  def generate_overview
-    num_warnings = all_warnings.length
-
-    MarkdownTable.new(:headings => ['Scanned/Reported', 'Total']) do |t|
-      t.add_row ['Controllers', tracker.controllers.length]
-      t.add_row ['Models', tracker.models.length - 1]
-      t.add_row ['Templates', number_of_templates(@tracker)]
-      t.add_row ['Errors', tracker.errors.length]
-      t.add_row ['Security Warnings', "#{num_warnings} (#{warnings_summary[:high_confidence]})"]
-      t.add_row ['Ignored Warnings', ignored_warnings.length] unless ignored_warnings.empty?
-    end
-  end
-
-  #Generate listings of templates and their output
-  def generate_templates
-    out_processor = Brakeman::OutputProcessor.new
-    template_rows = {}
-    tracker.templates.each do |name, template|
-      template.each_output do |out|
-        out = out_processor.format out
-        template_rows[name] ||= []
-        template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
-      end
-    end
-
-    template_rows = template_rows.sort_by{|name, value| name.to_s}
-
-    output = ''
-    template_rows.each do |template|
-      output << template.first.to_s << "\n\n"
-      table = MarkdownTable.new(:headings => ['Output']) do |t|
-        # template[1] is an array of calls
-        template[1].each do |v|
-          t.add_row [v]
-        end
-      end
-
-      output << table.to_s << "\n\n"
-    end
-
-    output
-  end
-
-  def render_array template, headings, value_array, locals
-    return if value_array.empty?
-
-    MarkdownTable.new(:headings => headings) do |t|
-      value_array.each { |value_row| t.add_row value_row }
-    end
-  end
-
   def convert_warning warning, original
     warning["Confidence"] = TEXT_CONFIDENCE[warning["Confidence"]]
     warning["Message"] = markdown_message original, warning["Message"]

data/lib/brakeman/report/report_table.rb

@@ -1,6 +1,11 @@
 Brakeman.load_brakeman_dependency 'terminal-table'
 
 class Brakeman::Report::Table < Brakeman::Report::Base
+  def initialize *args
+    super
+    @table = Terminal::Table
+  end
+
   def generate_report
     out = text_header <<
     "\n\n+SUMMARY+\n\n" <<
@@ -20,29 +25,26 @@ class Brakeman::Report::Table < Brakeman::Report::Base
       truncate_table(generate_templates.to_s) << "\n"
     end
 
-    res = generate_errors
-    out << "+Errors+\n" << truncate_table(res.to_s) if res
-
-    res = generate_warnings
-    out << "\n\n+SECURITY WARNINGS+\n\n" << truncate_table(res.to_s) if res
-
-    res = generate_controller_warnings
-    out << "\n\n\nController Warnings:\n\n" << truncate_table(res.to_s) if res
-
-    res = generate_model_warnings
-    out << "\n\n\nModel Warnings:\n\n" << truncate_table(res.to_s) if res
-
-    res = generate_template_warnings
-    out << "\n\nView Warnings:\n\n" << truncate_table(res.to_s) if res
+    output_table("+Errors+", generate_errors, out)
+    output_table("+SECURITY WARNINGS+", generate_warnings, out)
+    output_table("Controller Warnings:", generate_controller_warnings, out)
+    output_table("Model Warnings:", generate_model_warnings, out)
+    output_table("View Warnings:", generate_template_warnings, out)
 
     out << "\n"
     out
   end
 
+  def output_table title, result, output
+    return unless result
+
+    output << "\n\n#{title}\n\n#{truncate_table(result.to_s)}"
+  end
+
   def generate_overview
     num_warnings = all_warnings.length
 
-    Terminal::Table.new(:headings => ['Scanned/Reported', 'Total']) do |t|
+    @table.new(:headings => ['Scanned/Reported', 'Total']) do |t|
       t.add_row ['Controllers', tracker.controllers.length]
       t.add_row ['Models', tracker.models.length - 1]
       t.add_row ['Templates', number_of_templates(@tracker)]
@@ -52,40 +54,10 @@ class Brakeman::Report::Table < Brakeman::Report::Base
     end
   end
 
-  #Generate listings of templates and their output
-  def generate_templates
-    out_processor = Brakeman::OutputProcessor.new
-    template_rows = {}
-    tracker.templates.each do |name, template|
-      template.each_output do |out|
-        out = out_processor.format out
-        template_rows[name] ||= []
-        template_rows[name] << out.gsub("\n", ";").gsub(/\s+/, " ")
-      end
-    end
-
-    template_rows = template_rows.sort_by{|name, value| name.to_s}
-
-    output = ''
-    template_rows.each do |template|
-      output << template.first.to_s << "\n\n"
-      table = Terminal::Table.new(:headings => ['Output']) do |t|
-        # template[1] is an array of calls
-        template[1].each do |v|
-          t.add_row [v]
-        end
-      end
-
-      output << table.to_s << "\n\n"
-    end
-
-    output
-  end
-
   def render_array template, headings, value_array, locals
     return if value_array.empty?
 
-    Terminal::Table.new(:headings => headings) do |t|
+    @table.new(:headings => headings) do |t|
       value_array.each { |value_row| t.add_row value_row }
     end
   end

data/lib/brakeman/tracker/controller.rb

@@ -60,12 +60,7 @@ module Brakeman
       end
 
       @skip_filter_cache.each do |f|
-        if f[:all] or
-          (f[:only] == method) or
-          (f[:only].is_a? Array and f[:only].include? method) or
-          (f[:except].is_a? Symbol and f[:except] != method) or
-          (f[:except].is_a? Array and not f[:except].include? method)
-
+        if filter_includes_method? f, method
           filters.concat f[:methods]
         else
         end
@@ -74,6 +69,7 @@ module Brakeman
       filters
     end
 
+
     def remove_skipped_filters processor, filters, method
       controller = self
 
@@ -99,17 +95,11 @@ module Brakeman
       end
 
       @before_filter_cache.each do |f|
-        if f[:all] or
-          (f[:only] == method) or
-          (f[:only].is_a? Array and f[:only].include? method) or
-          (f[:except].is_a? Symbol and f[:except] != method) or
-          (f[:except].is_a? Array and not f[:except].include? method)
-
+        if filter_includes_method? f, method
           filters.concat f[:methods]
         end
       end
 
-
       filters
     end
 
@@ -147,6 +137,16 @@ module Brakeman
 
       filter
     end
+
+    private
+
+    def filter_includes_method? filter_rule, method_name
+       filter_rule[:all] or
+       (filter_rule[:only] == method_name) or
+       (filter_rule[:only].is_a? Array and filter_rule[:only].include? method_name) or
+       (filter_rule[:except].is_a? Symbol and filter_rule[:except] != method_name) or
+       (filter_rule[:except].is_a? Array and not filter_rule[:except].include? method_name)
+    end
   end
 
   class Controller < Brakeman::Collection

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "3.3.3"
+  Version = "3.3.4"
 end

data/lib/brakeman/warning_codes.rb

@@ -103,6 +103,8 @@ module Brakeman::WarningCodes
     :dynamic_render_path_rce => 99,
     :CVE_2015_7581 => 100,
     :secret_in_source => 101,
+    :CVE_2016_6316 => 102,
+    :CVE_2016_6317 => 103,
   }
 
   def self.code name

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 3.3.3
+  version: 3.3.4
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2016-07-21 00:00:00.000000000 Z
+date: 2016-08-12 00:00:00.000000000 Z
 dependencies: []
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis.