railroader 4.3.5 → 4.3.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 595961d18058b3e0d574388649963b0b80f9d6ae6d933558edf492e09c77438e
-  data.tar.gz: 2524c3b492213897d0bef3fbdaa590580138567f4ad912517da54d98ff0355a1
+  metadata.gz: 7f3e3d1142109902243a69df249c4914e374a904da6b861d89ce89e581a6a1e2
+  data.tar.gz: cea84ff58d67cae53ac7d3e754a8f61115ad6db779078d4e46ef0dffe0f6b5c8
 SHA512:
-  metadata.gz: ae119d036d6ce7295709e082f129583af64e9977adecad63808b6e9125de46585430e9e599f9cb1954d804691da9e9547e96a22bd261f831aa24727ecc6bd26f
-  data.tar.gz: 1ad71dc66d2c178c1bb2adf0c19393e0ca7ec655a1b2a4814af6e5602a081fa22503d1b2441b33ab1b4b666df1317b76a6dbe5bc4b55273651aa40d566df93b4
+  metadata.gz: 22d88d8de4ddb0aae8b402309dd73f495780ed4134f9ba098a1fe8e0c21751b2119103470dd3f4d4a3998438c4faa7858e41c4e2cb6f6cab19814b2472438d51
+  data.tar.gz: bd58f1f7d270a32ea5720b009418d7f49c3179b9c8a4837faa1ba56ae4449b4fe4bbfb0bf6f2c20c650d4b05312302c272489735e80c1e2b080e2796faf87957

data/CHANGES.md

@@ -1,3 +1,19 @@
+# 4.3.7
+
+* We earned a CII Best Practices badge!  Show its badge on the README.
+* Add use of the static analyzer Rubocop, and fix some issues it found.
+* Add information on how to report vulnerabilities in the Railroader
+  application itself.
+* Update `ruby_parser` to version 3.13.1. This improves and fixes handling of
+  some Ruby constructs, but it also means that we now longer support
+  running on Ruby 1.9.  The last branch of Ruby 1.9 (1.9.3)
+  ended all support on 23 Feb 2015, after a one-year warning, per:
+  https://www.ruby-lang.org/en/news/2015/02/23/support-for-ruby-1-9-3-has-ended/
+  Since this is more than 5 years after the final warning, and more than
+  4 years after support ended, we think this is reasonable.
+  If you really need to run something on Ruby 1.9, forcibly select
+  an older version of Railroader such as 4.3.5.
+
 # 4.3.5
 
 * Mass rename to Railroader in docs/

data/README.md

@@ -3,6 +3,7 @@
 [![Build Status](https://travis-ci.org/david-a-wheeler/railroader.svg?branch=master)](https://travis-ci.org/david-a-wheeler/railroader)
 [![Maintainability](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/maintainability)](https://codeclimate.com/github/david-a-wheeler/railroader/maintainability)
 [![Test Coverage](https://api.codeclimate.com/v1/badges/1b08a5c74695cb0d11ec/test_coverage)](https://codeclimate.com/github/david-a-wheeler/railroader/test_coverage)
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2514/badge)](https://bestpractices.coreinfrastructure.org/projects/2514)
 <!-- [![Gitter](https://badges.gitter.im/david-a-wheeler/railroader.svg)](https://gitter.im/david-a-wheeler/railroader) -->
 
 # Railroader
@@ -100,6 +101,9 @@ To compare results of a scan with a previous scan, use the JSON output option an
 This will output JSON with two lists: one of fixed warnings and one of new warnings.
 
 Railroader will ignore warnings if configured to do so. By default, it looks for a configuration file in `config/railroader.ignore`.
+(To help people transition from Brakeman, if `config/railroader.ignore`
+doesn't exist, but `config/brakeman.ignore` does, then we'' use the
+latter file.)
 To create and manage this file, use:
 
     railroader -I
@@ -163,6 +167,17 @@ For even more continuous testing, try the [Guard plugin](https://github.com/guar
 
 -->
 
+# Contributing
+
+We love contributions!  Please help us!
+
+For more about how to contribute, see [CONTRIBUTING.md](CONTRIBUTING.md).
+
+# Reporting vulnerabilities in Railroader itself
+
+If you find an exploitable vulnerability in Railroader itself,
+see [CONTRIBUTING.md](CONTRIBUTING.md).
+
 # Homepage/News
 
 Website: http://railroader.org/

data/bin/railroader

@@ -1,5 +1,5 @@
 #!/usr/bin/env ruby
-#Adjust path in case called directly and not through gem
+# Adjust path in case called directly and not through gem
 $:.unshift "#{File.expand_path(File.dirname(__FILE__))}/../lib"
 
 require 'railroader'

data/lib/railroader/call_index.rb

@@ -1,9 +1,9 @@
 require 'set'
 
-#Stores call sites to look up later.
+# Stores call sites to look up later.
 class Railroader::CallIndex
 
-  #Initialize index with calls from FindAllCalls
+  # Initialize index with calls from FindAllCalls
   def initialize calls
     @calls_by_method = Hash.new { |h, k| h[k] = [] }
     @calls_by_target = Hash.new { |h, k| h[k] = [] }
@@ -11,9 +11,9 @@ class Railroader::CallIndex
     index_calls calls
   end
 
-  #Find calls matching specified option hash.
+  # Find calls matching specified option hash.
   #
-  #Options:
+  # Options:
   #
   #  * :target - symbol, array of symbols, or regular expression to match target(s)
   #  * :method - symbol, array of symbols, or regular expression to match method(s)
@@ -26,7 +26,7 @@ class Railroader::CallIndex
 
     if options[:chained]
       return find_chain options
-    #Find by narrowest category
+    # Find by narrowest category
     elsif target and method and target.is_a? Array and method.is_a? Array
       if target.length > method.length
         calls = filter_by_target calls_by_methods(method), target
@@ -35,7 +35,7 @@ class Railroader::CallIndex
         calls = filter_by_method calls, method
       end
 
-    #Find by target, then by methods, if provided
+    # Find by target, then by methods, if provided
     elsif target
       calls = calls_by_target target
 
@@ -43,13 +43,13 @@ class Railroader::CallIndex
         calls = filter_by_method calls, method
       end
 
-    #Find calls with no explicit target
-    #with either :target => nil or :target => false
+    # Find calls with no explicit target
+    # with either :target => nil or :target => false
     elsif (options.key? :target or options.key? :targets) and not target and method
       calls = calls_by_method method
       calls = filter_by_target calls, nil
 
-    #Find calls by method
+    # Find calls by method
     elsif method
       calls = calls_by_method method
     else
@@ -58,8 +58,8 @@ class Railroader::CallIndex
 
     return [] if calls.nil?
 
-    #Remove calls that are actually targets of other calls
-    #Unless those are explicitly desired
+    # Remove calls that are actually targets of other calls
+    # Unless those are explicitly desired
     calls = filter_nested calls unless nested
 
     calls

data/lib/railroader/checks/base_check.rb

@@ -3,7 +3,7 @@ require 'railroader/processors/lib/processor_helper'
 require 'railroader/warning'
 require 'railroader/util'
 
-#Basis of vulnerability checks.
+# Basis of vulnerability checks.
 class Railroader::BaseCheck < Railroader::SexpProcessor
   include Railroader::ProcessorHelper
   include Railroader::SafeCallHelper
@@ -24,11 +24,11 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
     end
   end
 
-  #Initialize Check with Checks.
+  # Initialize Check with Checks.
   def initialize(app_tree, tracker)
     super()
     @app_tree = app_tree
-    @results = [] #only to check for duplicates
+    @results = [] # only to check for duplicates
     @warnings = []
     @tracker = tracker
     @string_interp = false
@@ -38,10 +38,10 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
     @mass_assign_disabled = nil
     @has_user_input = nil
     @safe_input_attributes = Set[:to_i, :to_f, :arel_table, :id]
-    @comparison_ops  = Set[:==, :!=, :>, :<, :>=, :<=]
+    @comparison_ops = Set[:==, :!=, :>, :<, :>=, :<=]
   end
 
-  #Add result to result list, which is used to check for duplicates
+  # Add result to result list, which is used to check for duplicates
   def add_result result, location = nil
     location ||= (@current_template && @current_template.name) || @current_class || @current_module || @current_set || result[:location][:class] || result[:location][:template]
     location = location[:name] if location.is_a? Hash
@@ -59,8 +59,8 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
     @results << [line, location, result]
   end
 
-  #Default Sexp processing. Iterates over each value in the Sexp
-  #and processes them if they are also Sexps.
+  # Default Sexp processing. Iterates over each value in the Sexp
+  # and processes them if they are also Sexps.
   def process_default exp
     exp.each do |e|
       process e if sexp? e
@@ -69,7 +69,7 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
     exp
   end
 
-  #Process calls and check if they include user input
+  # Process calls and check if they include user input
   def process_call exp
     unless @comparison_ops.include? exp.method
       process exp.target if sexp? exp.target
@@ -85,7 +85,7 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
         @has_user_input = Match.new(:cookies, exp)
       elsif request_env? target
         @has_user_input = Match.new(:request, exp)
-      elsif sexp? target and model_name? target[1] #TODO: Can this be target.target?
+      elsif sexp? target and model_name? target[1] # TODO: Can this be target.target?
         @has_user_input = Match.new(:model, exp)
       end
     end
@@ -94,7 +94,7 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
   end
 
   def process_if exp
-    #This is to ignore user input in condition
+    # This is to ignore user input in condition
     current_user_input = @has_user_input
     process exp.condition
     @has_user_input = current_user_input
@@ -105,19 +105,19 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
     exp
   end
 
-  #Note that params are included in current expression
+  # Note that params are included in current expression
   def process_params exp
     @has_user_input = Match.new(:params, exp)
     exp
   end
 
-  #Note that cookies are included in current expression
+  # Note that cookies are included in current expression
   def process_cookies exp
     @has_user_input = Match.new(:cookies, exp)
     exp
   end
 
-  #Does not actually process string interpolation, but notes that it occurred.
+  # Does not actually process string interpolation, but notes that it occurred.
   def process_dstr exp
     unless @string_interp # don't overwrite existing value
       @string_interp = Match.new(:interp, exp)
@@ -137,7 +137,7 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
     method[-1] == "?"
   end
 
-  #Report a warning
+  # Report a warning
   def warn options
     extra_opts = { :check => self.class.to_s }
 
@@ -148,12 +148,12 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
     @warnings << warning
   end
 
-  #Run _exp_ through OutputProcessor to get a nice String.
+  # Run _exp_ through OutputProcessor to get a nice String.
   def format_output exp
     Railroader::OutputProcessor.new.format(exp).gsub(/\r|\n/, "")
   end
 
-  #Checks if mass assignment is disabled globally in an initializer.
+  # Checks if mass assignment is disabled globally in an initializer.
   def mass_assign_disabled?
     return @mass_assign_disabled unless @mass_assign_disabled.nil?
 
@@ -167,7 +167,7 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
 
       @mass_assign_disabled = true
     else
-      #Check for ActiveRecord::Base.send(:attr_accessible, nil)
+      # Check for ActiveRecord::Base.send(:attr_accessible, nil)
       tracker.check_initializers(:"ActiveRecord::Base", :attr_accessible).each do |result|
         call = result.call
         if call? call
@@ -191,7 +191,7 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
       end
 
       unless @mass_assign_disabled
-        #Check for
+        # Check for
         #  class ActiveRecord::Base
         #    attr_accessible nil
         #  end
@@ -210,10 +210,10 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
       end
     end
 
-    #There is a chance someone is using Rails 3.x and the `strong_parameters`
-    #gem and still using hack above, so this is a separate check for
-    #including ActiveModel::ForbiddenAttributesProtection in
-    #ActiveRecord::Base in an initializer.
+    # There is a chance someone is using Rails 3.x and the `strong_parameters`
+    # gem and still using hack above, so this is a separate check for
+    # including ActiveModel::ForbiddenAttributesProtection in
+    # ActiveRecord::Base in an initializer.
     if not @mass_assign_disabled and version_between?("3.1.0", "3.9.9") and tracker.config.has_gem? :strong_parameters
       matches = tracker.check_initializers([], :include)
       forbidden_protection = Sexp.new(:colon2, Sexp.new(:const, :ActiveModel), :ForbiddenAttributesProtection)
@@ -245,8 +245,8 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
     true
   end
 
-  #This is to avoid reporting duplicates. Checks if the result has been
-  #reported already from the same line number.
+  # This is to avoid reporting duplicates. Checks if the result has been
+  # reported already from the same line number.
   def duplicate? result, location = nil
     if result.is_a? Hash
       line = result[:call].original_line || result[:call].line
@@ -275,34 +275,34 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
     false
   end
 
-  #Checks if an expression contains string interpolation.
+  # Checks if an expression contains string interpolation.
   #
-  #Returns Match with :interp type if found.
+  # Returns Match with :interp type if found.
   def include_interp? exp
     @string_interp = false
     process exp
     @string_interp
   end
 
-  #Checks if _exp_ includes user input in the form of cookies, parameters,
-  #request environment, or model attributes.
+  # Checks if _exp_ includes user input in the form of cookies, parameters,
+  # request environment, or model attributes.
   #
-  #If found, returns a struct containing a type (:cookies, :params, :request, :model) and
-  #the matching expression (Match#type and Match#match).
+  # If found, returns a struct containing a type (:cookies, :params, :request, :model) and
+  # the matching expression (Match#type and Match#match).
   #
-  #Returns false otherwise.
+  # Returns false otherwise.
   def include_user_input? exp
     @has_user_input = false
     process exp
     @has_user_input
   end
 
-  #This is used to check for user input being used directly.
+  # This is used to check for user input being used directly.
   #
-  ##If found, returns a struct containing a type (:cookies, :params, :request) and
-  #the matching expression (Match#type and Match#match).
+  # #If found, returns a struct containing a type (:cookies, :params, :request) and
+  # the matching expression (Match#type and Match#match).
   #
-  #Returns false otherwise.
+  # Returns false otherwise.
   def has_immediate_user_input? exp
     if exp.nil?
       false
@@ -352,8 +352,8 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
     end
   end
 
-  #Checks for a model attribute at the top level of the
-  #expression.
+  # Checks for a model attribute at the top level of the
+  # expression.
   def has_immediate_model? exp, out = nil
     out = exp if out.nil?
 
@@ -367,7 +367,7 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
 
       if always_safe_method? method
         false
-      elsif call? target and not method.to_s[-1,1] == "?"
+      elsif call? target and not method.to_s[-1, 1] == "?"
         if has_immediate_model?(target, out)
           exp
         else
@@ -414,11 +414,11 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
     end
   end
 
-  #Checks if +exp+ is a model name.
+  # Checks if +exp+ is a model name.
   #
-  #Prior to using this method, either @tracker must be set to
-  #the current tracker, or else @models should contain an array of the model
-  #names, which is available via tracker.models.keys
+  # Prior to using this method, either @tracker must be set to
+  # the current tracker, or else @models should contain an array of the model
+  # names, which is available via tracker.models.keys
   def model_name? exp
     @models ||= @tracker.models.keys
 
@@ -433,7 +433,7 @@ class Railroader::BaseCheck < Railroader::SexpProcessor
     end
   end
 
-  #Returns true if +target+ is in +exp+
+  # Returns true if +target+ is in +exp+
   def include_target? exp, target
     return false unless call? exp
 

data/lib/railroader/checks/check_basic_auth.rb

@@ -1,9 +1,9 @@
 require 'railroader/checks/base_check'
 
-#Checks if password is stored in controller
-#when using http_basic_authenticate_with
+# Checks if password is stored in controller
+# when using http_basic_authenticate_with
 #
-#Only for Rails >= 3.1
+# Only for Rails >= 3.1
 class Railroader::CheckBasicAuth < Railroader::BaseCheck
   Railroader::Checks.add self
 

data/lib/railroader/checks/check_content_tag.rb

@@ -1,6 +1,6 @@
 require 'railroader/checks/check_cross_site_scripting'
 
-#Checks for unescaped values in `content_tag`
+# Checks for unescaped values in `content_tag`
 #
 #    content_tag :tag, body
 #                       ^-- Unescaped in Rails 2.x
@@ -56,15 +56,15 @@ class Railroader::CheckContentTag < Railroader::CheckCrossSiteScripting
 
     @matched = false
 
-    #Silly, but still dangerous if someone uses user input in the tag type
+    # Silly, but still dangerous if someone uses user input in the tag type
     check_argument result, tag_name
 
-    #Versions before 3.x do not escape body of tag, nor does the rails_xss gem
+    # Versions before 3.x do not escape body of tag, nor does the rails_xss gem
     unless @matched or (tracker.options[:rails3] and not raw? content)
       check_argument result, content
     end
 
-    #Attribute keys are never escaped, so check them for user input
+    # Attribute keys are never escaped, so check them for user input
     if not @matched and hash? attributes and not request_value? attributes
       hash_iterate(attributes) do |k, _v|
         check_argument result, k
@@ -72,13 +72,13 @@ class Railroader::CheckContentTag < Railroader::CheckCrossSiteScripting
       end
     end
 
-    #By default, content_tag escapes attribute values passed in as a hash.
-    #But this behavior can be disabled. So only check attributes hash
-    #if they are explicitly not escaped.
+    # By default, content_tag escapes attribute values passed in as a hash.
+    # But this behavior can be disabled. So only check attributes hash
+    # if they are explicitly not escaped.
     if not @matched and attributes and (false? escape_attr or cve_2016_6316?)
       if request_value? attributes or not hash? attributes
         check_argument result, attributes
-      else #check hash values
+      else # check hash values
         hash_iterate(attributes) do |_k, v|
           check_argument result, v
           return if @matched
@@ -88,7 +88,7 @@ class Railroader::CheckContentTag < Railroader::CheckCrossSiteScripting
   end
 
   def check_argument result, exp
-    #Check contents of raw() calls directly
+    # Check contents of raw() calls directly
     if raw? exp
       arg = process exp.first_arg
     else

data/lib/railroader/checks/check_create_with.rb

@@ -43,8 +43,8 @@ class Railroader::CheckCreateWith < Railroader::BaseCheck
     end
   end
 
-  #For a given create_with call, set confidence level.
-  #Ignore calls that use permit()
+  # For a given create_with call, set confidence level.
+  # Ignore calls that use permit()
   def danger_level exp
     return unless sexp? exp
 

data/lib/railroader/checks/check_cross_site_scripting.rb

@@ -4,10 +4,10 @@ require 'railroader/processors/lib/processor_helper'
 require 'railroader/util'
 require 'set'
 
-#This check looks for unescaped output in templates which contains
-#parameters or model attributes.
+# This check looks for unescaped output in templates which contains
+# parameters or model attributes.
 #
-#For example:
+# For example:
 #
 # <%= User.find(:id).name %>
 # <%= params[:id] %>
@@ -16,7 +16,7 @@ class Railroader::CheckCrossSiteScripting < Railroader::BaseCheck
 
   @description = "Checks for unescaped output in views"
 
-  #Model methods which are known to be harmless
+  # Model methods which are known to be harmless
   IGNORE_MODEL_METHODS = Set[:average, :count, :maximum, :minimum, :sum, :id]
 
   MODEL_METHODS = Set[:all, :find, :first, :last, :new]
@@ -33,7 +33,7 @@ class Railroader::CheckCrossSiteScripting < Railroader::BaseCheck
 
   FORM_BUILDER = Sexp.new(:call, Sexp.new(:const, :FormBuilder), :new)
 
-  #Run check
+  # Run check
   def run_check
     setup
 
@@ -119,7 +119,7 @@ class Railroader::CheckCrossSiteScripting < Railroader::BaseCheck
     end
   end
 
-  #Call already involves a model, but might not be acting on a record
+  # Call already involves a model, but might not be acting on a record
   def likely_model_attribute? exp
     return false unless call? exp
 
@@ -132,13 +132,13 @@ class Railroader::CheckCrossSiteScripting < Railroader::BaseCheck
     end
   end
 
-  #Process an output Sexp
+  # Process an output Sexp
   def process_output exp
     process exp.value.dup
   end
 
-  #Look for calls to raw()
-  #Otherwise, ignore
+  # Look for calls to raw()
+  # Otherwise, ignore
   def process_escaped_output exp
     unless check_for_immediate_xss exp
       if not duplicate? exp
@@ -152,12 +152,12 @@ class Railroader::CheckCrossSiteScripting < Railroader::BaseCheck
     exp
   end
 
-  #Check a call for user input
+  # Check a call for user input
   #
   #
-  #Since we want to report an entire call and not just part of one, use @mark
-  #to mark when a call is started. Any dangerous values inside will then
-  #report the entire call chain.
+  # Since we want to report an entire call and not just part of one, use @mark
+  # to mark when a call is started. Any dangerous values inside will then
+  # report the entire call chain.
   def process_call exp
     if @mark
       actually_process_call exp
@@ -214,10 +214,10 @@ class Railroader::CheckCrossSiteScripting < Railroader::BaseCheck
 
     method = exp.method
 
-    #Ignore safe items
+    # Ignore safe items
     if ignore_call? target, method
       @matched = false
-    elsif sexp? target and model_name? target[1] #TODO: use method call?
+    elsif sexp? target and model_name? target[1] # TODO: use method call?
       @matched = Match.new(:model, exp)
     elsif cookies? exp
       @matched = Match.new(:cookies, exp)
@@ -228,39 +228,39 @@ class Railroader::CheckCrossSiteScripting < Railroader::BaseCheck
     end
   end
 
-  #Note that params have been found
+  # Note that params have been found
   def process_params exp
     @matched = Match.new(:params, exp)
     exp
   end
 
-  #Note that cookies have been found
+  # Note that cookies have been found
   def process_cookies exp
     @matched = Match.new(:cookies, exp)
     exp
   end
 
-  #Ignore calls to render
+  # Ignore calls to render
   def process_render exp
     exp
   end
 
-  #Process as default
+  # Process as default
   def process_dstr exp
     process_default exp
   end
 
-  #Process as default
+  # Process as default
   def process_format exp
     process_default exp
   end
 
-  #Ignore output HTML escaped via HAML
+  # Ignore output HTML escaped via HAML
   def process_format_escaped exp
     exp
   end
 
-  #Ignore condition in if Sexp
+  # Ignore condition in if Sexp
   def process_if exp
     process exp.then_clause if sexp? exp.then_clause
     process exp.else_clause if sexp? exp.else_clause
@@ -268,8 +268,8 @@ class Railroader::CheckCrossSiteScripting < Railroader::BaseCheck
   end
 
   def process_case exp
-    #Ignore user input in case value
-    #TODO: also ignore when values
+    # Ignore user input in case value
+    # TODO: also ignore when values
 
     current = 2
     while current < exp.length

data/lib/railroader/checks/check_default_routes.rb

@@ -1,13 +1,13 @@
 require 'railroader/checks/base_check'
 
-#Checks if default routes are allowed in routes.rb
+# Checks if default routes are allowed in routes.rb
 class Railroader::CheckDefaultRoutes < Railroader::BaseCheck
   Railroader::Checks.add self
 
   @description = "Checks for default routes"
 
-  #Checks for :allow_all_actions globally and for individual routes
-  #if it is not enabled globally.
+  # Checks for :allow_all_actions globally and for individual routes
+  # if it is not enabled globally.
   def run_check
     check_for_default_routes
     check_for_action_globs
@@ -16,7 +16,7 @@ class Railroader::CheckDefaultRoutes < Railroader::BaseCheck
 
   def check_for_default_routes
     if allow_all_actions?
-      #Default routes are enabled globally
+      # Default routes are enabled globally
       warn :warning_type => "Default Routes",
         :warning_code => :all_default_routes,
         :message => "All public methods in controllers are available as actions in routes.rb",
@@ -52,7 +52,7 @@ class Railroader::CheckDefaultRoutes < Railroader::BaseCheck
   def check_for_cve_2014_0130
     case
     when lts_version?("2.3.18.9")
-      #TODO: Should support LTS 3.0.20 too
+      # TODO: Should support LTS 3.0.20 too
       return
     when version_between?("2.0.0", "2.3.18")
       upgrade = "3.2.18"

data/lib/railroader/checks/check_deserialize.rb

@@ -24,7 +24,7 @@ class Railroader::CheckDeserialize < Railroader::BaseCheck
   end
 
   def check_methods target, *methods
-    tracker.find_call(:target => target, :methods => methods ).each do |result|
+    tracker.find_call(:target => target, :methods => methods).each do |result|
       check_deserialize result, target
     end
   end

data/lib/railroader/checks/check_dynamic_finders.rb

@@ -1,6 +1,6 @@
 require 'railroader/checks/base_check'
 
-#This check looks for regexes that include user input.
+# This check looks for regexes that include user input.
 class Railroader::CheckDynamicFinders < Railroader::BaseCheck
   Railroader::Checks.add self