railroader 4.3.5 → 4.3.7

data/lib/railroader/checks/check_escape_function.rb

@@ -1,14 +1,14 @@
 require 'railroader/checks/base_check'
 
-#Check for versions with vulnerable html escape method
-#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
+# Check for versions with vulnerable html escape method
+# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/56bffb5923ab1195
 class Railroader::CheckEscapeFunction < Railroader::BaseCheck
   Railroader::Checks.add self
 
   @description = "Checks for versions before 2.3.14 which have a vulnerable escape method"
 
   def run_check
-    if version_between?('2.0.0', '2.3.13') and RUBY_VERSION < '1.9.0' 
+    if version_between?('2.0.0', '2.3.13') and RUBY_VERSION < '1.9.0'
 
       warn :warning_type => 'Cross-Site Scripting',
         :warning_code => :CVE_2011_2932,

data/lib/railroader/checks/check_evaluation.rb

@@ -1,13 +1,13 @@
 require 'railroader/checks/base_check'
 
-#This check looks for calls to +eval+, +instance_eval+, etc. which include
-#user input.
+# This check looks for calls to +eval+, +instance_eval+, etc. which include
+# user input.
 class Railroader::CheckEvaluation < Railroader::BaseCheck
   Railroader::Checks.add self
 
   @description = "Searches for evaluation of user input"
 
-  #Process calls
+  # Process calls
   def run_check
     Railroader.debug "Finding eval-like calls"
     calls = tracker.find_call :method => [:eval, :instance_eval, :class_eval, :module_eval]
@@ -18,7 +18,7 @@ class Railroader::CheckEvaluation < Railroader::BaseCheck
     end
   end
 
-  #Warns if eval includes user input
+  # Warns if eval includes user input
   def process_result result
     return unless original? result
 

data/lib/railroader/checks/check_execute.rb

@@ -1,9 +1,9 @@
 require 'railroader/checks/base_check'
 
-#Checks for string interpolation and parameters in calls to
-#Kernel#system, Kernel#exec, Kernel#syscall, and inside backticks.
+# Checks for string interpolation and parameters in calls to
+# Kernel#system, Kernel#exec, Kernel#syscall, and inside backticks.
 #
-#Examples of command injection vulnerabilities:
+# Examples of command injection vulnerabilities:
 #
 # system("rf -rf #{params[:file]}")
 # exec(params[:command])
@@ -22,7 +22,7 @@ class Railroader::CheckExecute < Railroader::BaseCheck
 
   SHELLWORDS = s(:const, :Shellwords)
 
-  #Check models, controllers, and views for command injection.
+  # Check models, controllers, and views for command injection.
   def run_check
     Railroader.debug "Finding system calls using ``"
     check_for_backticks tracker
@@ -41,7 +41,7 @@ class Railroader::CheckExecute < Railroader::BaseCheck
     end
   end
 
-  #Processes results from Tracker#find_call.
+  # Processes results from Tracker#find_call.
   def process_result result
     call = result[:call]
     args = call.arglist
@@ -60,7 +60,7 @@ class Railroader::CheckExecute < Railroader::BaseCheck
 
     if failure and original? result
 
-      if failure.type == :interp #Not from user input
+      if failure.type == :interp # Not from user input
         confidence = :medium
       else
         confidence = :high
@@ -100,7 +100,7 @@ class Railroader::CheckExecute < Railroader::BaseCheck
     end
   end
 
-  #Looks for calls using backticks such as
+  # Looks for calls using backticks such as
   #
   # `rm -rf #{params[:file]}`
   def check_for_backticks tracker
@@ -109,7 +109,7 @@ class Railroader::CheckExecute < Railroader::BaseCheck
     end
   end
 
-  #Processes backticks.
+  # Processes backticks.
   def process_backticks result
     return unless original? result
 

data/lib/railroader/checks/check_file_access.rb

@@ -1,7 +1,7 @@
 require 'railroader/checks/base_check'
 require 'railroader/processors/lib/processor_helper'
 
-#Checks for user input in methods which open or manipulate files
+# Checks for user input in methods which open or manipulate files
 class Railroader::CheckFileAccess < Railroader::BaseCheck
   Railroader::Checks.add self
 
@@ -39,7 +39,7 @@ class Railroader::CheckFileAccess < Railroader::BaseCheck
     elsif tracker.options[:check_arguments] and
       match = include_user_input?(file_name)
 
-      #Check for string building in file name
+      # Check for string building in file name
       if call?(file_name) and (file_name.method == :+ or file_name.method == :<<)
         confidence = :high
       else

data/lib/railroader/checks/check_filter_skipping.rb

@@ -1,7 +1,7 @@
 require 'railroader/checks/base_check'
 
-#Check for filter skipping vulnerability
-#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6
+# Check for filter skipping vulnerability
+# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/3420ac71aed312d6
 class Railroader::CheckFilterSkipping < Railroader::BaseCheck
   Railroader::Checks.add self
 

data/lib/railroader/checks/check_forgery_setting.rb

@@ -1,9 +1,9 @@
 require 'railroader/checks/base_check'
 
-#Checks that +protect_from_forgery+ is set in the ApplicationController.
+# Checks that +protect_from_forgery+ is set in the ApplicationController.
 #
-#Also warns for CSRF weakness in certain versions of Rails:
-#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
+# Also warns for CSRF weakness in certain versions of Rails:
+# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
 class Railroader::CheckForgerySetting < Railroader::BaseCheck
   Railroader::Checks.add self
 

data/lib/railroader/checks/check_jruby_xml.rb

@@ -19,7 +19,7 @@ class Railroader::CheckJRubyXML < Railroader::BaseCheck
         return
       end
 
-    #Check for workaround
+    # Check for workaround
     tracker.check_initializers(:"ActiveSupport::XmlMini", :backend=).each do |result|
       arg = result.call.first_arg
 

data/lib/railroader/checks/check_json_parsing.rb

@@ -36,12 +36,12 @@ class Railroader::CheckJSONParsing < Railroader::BaseCheck
     end
   end
 
-  #Check if `yajl` is included in Gemfile
+  # Check if `yajl` is included in Gemfile
   def uses_yajl?
     tracker.config.has_gem? :yajl
   end
 
-  #Check for `ActiveSupport::JSON.backend = "JSONGem"`
+  # Check for `ActiveSupport::JSON.backend = "JSONGem"`
   def uses_gem_backend?
     matches = tracker.check_initializers(:'ActiveSupport::JSON', :backend=)
 

data/lib/railroader/checks/check_link_to.rb

@@ -1,9 +1,9 @@
 require 'railroader/checks/check_cross_site_scripting'
 
-#Checks for calls to link_to in versions of Ruby where link_to did not
-#escape the first argument.
+# Checks for calls to link_to in versions of Ruby where link_to did not
+# escape the first argument.
 #
-#See https://rails.lighthouseapp.com/projects/8994/tickets/3518-link_to-doesnt-escape-its-input
+# See https://rails.lighthouseapp.com/projects/8994/tickets/3518-link_to-doesnt-escape-its-input
 class Railroader::CheckLinkTo < Railroader::CheckCrossSiteScripting
   Railroader::Checks.add self
 
@@ -21,7 +21,7 @@ class Railroader::CheckLinkTo < Railroader::CheckCrossSiteScripting
                            :will_paginate].merge tracker.options[:safe_methods]
 
     @known_dangerous = []
-    #Ideally, I think this should also check to see if people are setting
+    # Ideally, I think this should also check to see if people are setting
     #:escape => false
     @models = tracker.models.keys
     @inspect_arguments = tracker.options[:check_arguments]
@@ -32,8 +32,8 @@ class Railroader::CheckLinkTo < Railroader::CheckCrossSiteScripting
   def process_result result
     return if duplicate? result
 
-    #Have to make a copy of this, otherwise it will be changed to
-    #an ignored method call by the code above.
+    # Have to make a copy of this, otherwise it will be changed to
+    # an ignored method call by the code above.
     call = result[:call] = result[:call].dup
 
     first_arg = call.first_arg
@@ -41,7 +41,7 @@ class Railroader::CheckLinkTo < Railroader::CheckCrossSiteScripting
 
     @matched = false
 
-    #Skip if no arguments(?) or first argument is a hash
+    # Skip if no arguments(?) or first argument is a hash
     return if first_arg.nil? or hash? first_arg
 
     if version_between? "2.0.0", "2.2.99"
@@ -51,8 +51,8 @@ class Railroader::CheckLinkTo < Railroader::CheckCrossSiteScripting
         check_argument result, second_arg
       end
     elsif second_arg
-      #Only check first argument if there is a second argument
-      #in Rails 2.3.x
+      # Only check first argument if there is a second argument
+      # in Rails 2.3.x
       check_argument result, first_arg
     end
   end
@@ -122,9 +122,9 @@ class Railroader::CheckLinkTo < Railroader::CheckCrossSiteScripting
     target = exp.target
     target = process target.dup if sexp? target
 
-    #Bare records create links to the model resource,
-    #not a string that could have injection
-    #TODO: Needs test? I think this is broken?
+    # Bare records create links to the model resource,
+    # not a string that could have injection
+    # TODO: Needs test? I think this is broken?
     return exp if model_name? target and context == [:call, :arglist]
 
     super

data/lib/railroader/checks/check_link_to_href.rb

@@ -1,11 +1,11 @@
 require 'railroader/checks/check_cross_site_scripting'
 
-#Checks for calls to link_to which pass in potentially hazardous data
-#to the second argument.  While this argument must be html_safe to not break
-#the html, it must also be url safe as determined by calling a
+# Checks for calls to link_to which pass in potentially hazardous data
+# to the second argument.  While this argument must be html_safe to not break
+# the html, it must also be url safe as determined by calling a
 #:url_safe_method.  This prevents attacks such as javascript:evil() or
-#data:<encoded XSS> which is html_safe, but not safe as an href
-#Props to Nick Green for the idea.
+# data:<encoded XSS> which is html_safe, but not safe as an href
+# Props to Nick Green for the idea.
 class Railroader::CheckLinkToHref < Railroader::CheckLinkTo
   Railroader::Checks.add self
 
@@ -30,8 +30,8 @@ class Railroader::CheckLinkToHref < Railroader::CheckLinkTo
   end
 
   def process_result result
-    #Have to make a copy of this, otherwise it will be changed to
-    #an ignored method call by the code above.
+    # Have to make a copy of this, otherwise it will be changed to
+    # an ignored method call by the code above.
     call = result[:call] = result[:call].dup
     @matched = false
     url_arg = process call.second_arg
@@ -98,8 +98,8 @@ class Railroader::CheckLinkToHref < Railroader::CheckLinkTo
       ignore_interpolation? url_arg, exp
   end
 
-  #Ignore situations where the href is an interpolated string
-  #with something before the user input
+  # Ignore situations where the href is an interpolated string
+  # with something before the user input
   def ignore_interpolation? arg, suspect
     return unless string_interp? arg
     return true unless arg[1].chomp.empty? # plain string before interpolation

data/lib/railroader/checks/check_mail_to.rb

@@ -1,9 +1,9 @@
 require 'railroader/checks/base_check'
 
-#Check for cross-site scripting vulnerability in mail_to :encode => :javascript
-#with certain versions of Rails (< 2.3.11 or < 3.0.4).
+# Check for cross-site scripting vulnerability in mail_to :encode => :javascript
+# with certain versions of Rails (< 2.3.11 or < 3.0.4).
 #
-#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
+# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
 class Railroader::CheckMailTo < Railroader::BaseCheck
   Railroader::Checks.add self
 
@@ -29,7 +29,7 @@ class Railroader::CheckMailTo < Railroader::BaseCheck
     end
   end
 
-  #Check for javascript encoding of mail_to address
+  # Check for javascript encoding of mail_to address
   #    mail_to email, name, :encode => :javascript
   def mail_to_javascript?
     Railroader.debug "Checking calls to mail_to for javascript encoding"

data/lib/railroader/checks/check_mass_assignment.rb

@@ -1,9 +1,9 @@
 require 'railroader/checks/base_check'
 require 'set'
 
-#Checks for mass assignments to models.
+# Checks for mass assignments to models.
 #
-#See http://guides.rubyonrails.org/security.html#mass-assignment for details
+# See http://guides.rubyonrails.org/security.html#mass-assignment for details
 class Railroader::CheckMassAssignment < Railroader::BaseCheck
   Railroader::Checks.add self
 
@@ -59,7 +59,7 @@ class Railroader::CheckMassAssignment < Railroader::BaseCheck
     end
   end
 
-  #All results should be Model.new(...) or Model.attributes=() calls
+  # All results should be Model.new(...) or Model.attributes=() calls
   def process_result res
     call = res[:call]
 
@@ -106,7 +106,7 @@ class Railroader::CheckMassAssignment < Railroader::BaseCheck
     res
   end
 
-  #Want to ignore calls to Model.new that have no arguments
+  # Want to ignore calls to Model.new that have no arguments
   def check_call call
     process_call_args call
 
@@ -116,7 +116,7 @@ class Railroader::CheckMassAssignment < Railroader::BaseCheck
       arg = call.first_arg
     end
 
-    if arg.nil? #empty new()
+    if arg.nil? # empty new()
       false
     elsif hash? arg and not include_user_input? arg
       false

data/lib/railroader/checks/check_model_attributes.rb

@@ -1,10 +1,10 @@
 require 'railroader/checks/base_check'
 
-#Check if mass assignment is used with models
-#which inherit from ActiveRecord::Base.
+# Check if mass assignment is used with models
+# which inherit from ActiveRecord::Base.
 #
-#If tracker.options[:collapse_mass_assignment] is +true+ (default), all models
-#which do not use attr_accessible will be reported in a single warning
+# If tracker.options[:collapse_mass_assignment] is +true+ (default), all models
+# which do not use attr_accessible will be reported in a single warning
 class Railroader::CheckModelAttributes < Railroader::BaseCheck
   Railroader::Checks.add self
 
@@ -13,7 +13,7 @@ class Railroader::CheckModelAttributes < Railroader::BaseCheck
   def run_check
     return if mass_assign_disabled?
 
-    #Roll warnings into one warning for all models
+    # Roll warnings into one warning for all models
     if tracker.options[:collapse_mass_assignment]
       no_accessible_names = []
       protected_names = []
@@ -50,7 +50,7 @@ class Railroader::CheckModelAttributes < Railroader::BaseCheck
           :confidence => confidence,
           :link => link
       end
-    else #Output one warning per model
+    else # Output one warning per model
 
       check_models do |name, model|
         if model.attr_protected.nil?

data/lib/railroader/checks/check_model_serialize.rb

@@ -22,8 +22,8 @@ class Railroader::CheckModelSerialize < Railroader::BaseCheck
     end
   end
 
-  #High confidence warning on serialized, unprotected attributes.
-  #Medium confidence warning for serialized, protected attributes.
+  # High confidence warning on serialized, unprotected attributes.
+  # Medium confidence warning for serialized, protected attributes.
   def check_for_serialize model
     if serialized_attrs = model.options[:serialize]
       attrs = Set.new

data/lib/railroader/checks/check_nested_attributes.rb

@@ -1,7 +1,7 @@
 require 'railroader/checks/base_check'
 
-#Check for vulnerability in nested attributes in Rails 2.3.9 and 3.0.0
-#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f9f913d328dafe0c
+# Check for vulnerability in nested attributes in Rails 2.3.9 and 3.0.0
+# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f9f913d328dafe0c
 class Railroader::CheckNestedAttributes < Railroader::BaseCheck
   Railroader::Checks.add self
 

data/lib/railroader/checks/check_nested_attributes_bypass.rb

@@ -1,6 +1,6 @@
 require 'railroader/checks/base_check'
 
-#https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ
+# https://groups.google.com/d/msg/rubyonrails-security/cawsWcQ6c8g/tegZtYdbFQAJ
 class Railroader::CheckNestedAttributesBypass < Railroader::BaseCheck
   Railroader::Checks.add self
 

data/lib/railroader/checks/check_quote_table_name.rb

@@ -1,14 +1,14 @@
 require 'railroader/checks/base_check'
 
-#Check for uses of quote_table_name in Rails versions before 2.3.13 and 3.0.10
-#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
+# Check for uses of quote_table_name in Rails versions before 2.3.13 and 3.0.10
+# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6a1e473744bc389b
 class Railroader::CheckQuoteTableName < Railroader::BaseCheck
   Railroader::Checks.add self
 
   @description = "Checks for quote_table_name vulnerability in versions before 2.3.14 and 3.0.10"
 
   def run_check
-    if (version_between?('2.0.0', '2.3.13') or 
+    if (version_between?('2.0.0', '2.3.13') or
         version_between?('3.0.0', '3.0.9'))
 
       if uses_quote_table_name?

data/lib/railroader/checks/check_redirect.rb

@@ -1,8 +1,8 @@
 require 'railroader/checks/base_check'
 
-#Reports any calls to +redirect_to+ which include parameters in the arguments.
+# Reports any calls to +redirect_to+ which include parameters in the arguments.
 #
-#For example:
+# For example:
 #
 # redirect_to params.merge(:action => :elsewhere)
 class Railroader::CheckRedirect < Railroader::BaseCheck
@@ -59,10 +59,10 @@ class Railroader::CheckRedirect < Railroader::BaseCheck
     end
   end
 
-  #Custom check for user input. First looks to see if the user input
-  #is being output directly. This is necessary because of tracker.options[:check_arguments]
-  #which can be used to enable/disable reporting output of method calls which use
-  #user input as arguments.
+  # Custom check for user input. First looks to see if the user input
+  # is being output directly. This is necessary because of tracker.options[:check_arguments]
+  # which can be used to enable/disable reporting output of method calls which use
+  # user input as arguments.
   def include_user_input? call, immediate = :immediate
     Railroader.debug "Checking if call includes user input"
 
@@ -89,7 +89,7 @@ class Railroader::CheckRedirect < Railroader::BaseCheck
         return Match.new(immediate, arg.target)
       elsif arg.method == :url_for and include_user_input? arg
         return Match.new(immediate, arg)
-        #Ignore helpers like some_model_url?
+        # Ignore helpers like some_model_url?
       elsif arg.method.to_s =~ /_(url|path)\z/
         return false
       end
@@ -98,14 +98,14 @@ class Railroader::CheckRedirect < Railroader::BaseCheck
     end
 
     if tracker.options[:check_arguments] and call? arg
-      include_user_input? arg, false  #I'm doubting if this is really necessary...
+      include_user_input? arg, false  # I'm doubting if this is really necessary...
     else
       false
     end
   end
 
-  #Checks +redirect_to+ arguments for +only_path => true+ which essentially
-  #nullifies the danger posed by redirecting with user input
+  # Checks +redirect_to+ arguments for +only_path => true+ which essentially
+  # nullifies the danger posed by redirecting with user input
   def only_path? call
     arg = call.first_arg
 
@@ -164,7 +164,7 @@ class Railroader::CheckRedirect < Railroader::BaseCheck
   end
 
   #+url_for+ is only_path => true by default. This checks to see if it is
-  #set to false for some reason.
+  # set to false for some reason.
   def check_url_for call
     arg = call.first_arg
 
@@ -177,7 +177,7 @@ class Railroader::CheckRedirect < Railroader::BaseCheck
     true
   end
 
-  #Returns true if exp is (probably) a model instance
+  # Returns true if exp is (probably) a model instance
   def model_instance? exp
     if node_type? exp, :or
       model_instance? exp.lhs or model_instance? exp.rhs
@@ -198,14 +198,14 @@ class Railroader::CheckRedirect < Railroader::BaseCheck
     model_target? exp.target
   end
 
-  #Returns true if exp is (probably) a friendly model instance
-  #using the FriendlyId gem
+  # Returns true if exp is (probably) a friendly model instance
+  # using the FriendlyId gem
   def friendly_model? exp
     call? exp and model_name? exp.target and exp.method == :friendly
   end
-  
-  #Returns true if exp is (probably) a decorated model instance
-  #using the Draper gem
+
+  # Returns true if exp is (probably) a decorated model instance
+  # using the Draper gem
   def decorated_model? exp
     if node_type? exp, :or
       decorated_model? exp.lhs or decorated_model? exp.rhs
@@ -218,7 +218,7 @@ class Railroader::CheckRedirect < Railroader::BaseCheck
     end
   end
 
-  #Check if method is actually an association in a Model
+  # Check if method is actually an association in a Model
   def association? model_name, meth
     if call? model_name
       return association? model_name.target, meth
@@ -244,7 +244,7 @@ class Railroader::CheckRedirect < Railroader::BaseCheck
     if call? exp and params? exp.target and exp.method == :permit
       exp.each_arg do |opt|
         if symbol? opt and DANGEROUS_KEYS.include? opt.value
-          return false 
+          return false
         end
       end
 

data/lib/railroader/checks/check_regex_dos.rb

@@ -1,6 +1,6 @@
 require 'railroader/checks/base_check'
 
-#This check looks for regexes that include user input.
+# This check looks for regexes that include user input.
 class Railroader::CheckRegexDoS < Railroader::BaseCheck
   Railroader::Checks.add self
 
@@ -13,7 +13,7 @@ class Railroader::CheckRegexDoS < Railroader::BaseCheck
 
   @description = "Searches regexes including user input"
 
-  #Process calls
+  # Process calls
   def run_check
     Railroader.debug "Finding dynamic regexes"
     calls = tracker.find_call :method => [:railroader_regex_interp]
@@ -24,7 +24,7 @@ class Railroader::CheckRegexDoS < Railroader::BaseCheck
     end
   end
 
-  #Warns if regex includes user input
+  # Warns if regex includes user input
   def process_result result
     return unless original? result
 

data/lib/railroader/checks/check_render.rb

@@ -1,6 +1,6 @@
 require 'railroader/checks/base_check'
 
-#Check calls to +render()+ for dangerous values
+# Check calls to +render()+ for dangerous values
 class Railroader::CheckRender < Railroader::BaseCheck
   Railroader::Checks.add self
 
@@ -28,7 +28,7 @@ class Railroader::CheckRender < Railroader::BaseCheck
     end
   end
 
-  #Check if path to action or file is determined dynamically
+  # Check if path to action or file is determined dynamically
   def check_for_dynamic_path result
     view = result[:call][2]
 
@@ -46,7 +46,7 @@ class Railroader::CheckRender < Railroader::BaseCheck
         return
       end
 
-      return if input.type == :model #skip models
+      return if input.type == :model # skip models
       return if safe_param? input.match
 
       message = "Render path contains #{friendly_type_of input}"
@@ -94,4 +94,4 @@ class Railroader::CheckRender < Railroader::BaseCheck
       end
     end
   end
-end 
+end

data/lib/railroader/checks/check_response_splitting.rb

@@ -1,7 +1,7 @@
 require 'railroader/checks/base_check'
 
-#Warn about response splitting in Rails versions before 2.3.13
-#http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
+# Warn about response splitting in Rails versions before 2.3.13
+# http://groups.google.com/group/rubyonrails-security/browse_thread/thread/6ffc93bde0298768
 class Railroader::CheckResponseSplitting < Railroader::BaseCheck
   Railroader::Checks.add self
 

data/lib/railroader/checks/check_safe_buffer_manipulation.rb

@@ -1,8 +1,8 @@
 require 'railroader/checks/base_check'
 
-#Check for unsafe manipulation of strings
-#Right now this is just a version check for
-#https://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
+# Check for unsafe manipulation of strings
+# Right now this is just a version check for
+# https://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913?pli=1
 class Railroader::CheckSafeBufferManipulation < Railroader::BaseCheck
   Railroader::Checks.add self
 
@@ -23,7 +23,7 @@ class Railroader::CheckSafeBufferManipulation < Railroader::BaseCheck
     message = "Rails #{rails_version} has a vulnerabilty in SafeBuffer. Upgrade to #{suggested_version} or apply patches."
 
     warn :warning_type => "Cross-Site Scripting",
-      :warning_code => :safe_buffer_vuln, 
+      :warning_code => :safe_buffer_vuln,
       :message => message,
       :confidence => :medium,
       :gem_info => gemfile_or_environment

data/lib/railroader/checks/check_sanitize_methods.rb

@@ -1,7 +1,7 @@
 require 'railroader/checks/base_check'
 
-#sanitize and sanitize_css are vulnerable:
-#CVE-2013-1855 and CVE-2013-1857
+# sanitize and sanitize_css are vulnerable:
+# CVE-2013-1855 and CVE-2013-1857
 class Railroader::CheckSanitizeMethods < Railroader::BaseCheck
   Railroader::Checks.add self
 

data/lib/railroader/checks/check_select_tag.rb

@@ -1,7 +1,7 @@
 require 'railroader/checks/base_check'
 
-#Checks for CVE-2012-3463, unescaped input in :prompt option of select_tag:
-#https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion
+# Checks for CVE-2012-3463, unescaped input in :prompt option of select_tag:
+# https://groups.google.com/d/topic/rubyonrails-security/fV3QUToSMSw/discussion
 class Railroader::CheckSelectTag < Railroader::BaseCheck
   Railroader::Checks.add self
 
@@ -32,11 +32,11 @@ class Railroader::CheckSelectTag < Railroader::BaseCheck
     end
   end
 
-  #Check if select_tag is called with user input in :prompt option
+  # Check if select_tag is called with user input in :prompt option
   def process_result result
     return unless original? result
 
-    #Only concerned if user input is supplied for :prompt option
+    # Only concerned if user input is supplied for :prompt option
     last_arg = result[:call].last_arg
 
     if hash? last_arg