lib/brakeman/processors/lib/rails3_route_processor.rb in brakeman-2.5.0 vs lib/brakeman/processors/lib/rails3_route_processor.rb in brakeman-2.6.0

@@ -87,22 +87,21 @@
   def process_match exp
     first_arg = exp.first_arg
     second_arg = exp.second_arg
     last_arg = exp.last_arg
 
-    #Check if there is an unrestricted action parameter
-    action_variable = false
-
     if string? first_arg
-      matcher = first_arg.value
 
+      matcher = first_arg.value
       if matcher == ':controller(/:action(/:id(.:format)))' or
-        matcher.include? ':controller' and matcher.include? ':action' #Default routes
+        matcher.include? ':controller' and action_route?(matcher)  #Default routes
         @tracker.routes[:allow_all_actions] = first_arg
         return exp
-      elsif matcher.include? ':action'
-        action_variable = true
+      elsif action_route?(first_arg)
+          if hash? second_arg and controller_name = hash_access(second_arg, :controller)
+            loose_action(controller_name, "matched") #TODO: Parse verbs
+          end
       elsif second_arg.nil? and in_controller_block? and not matcher.include? ":"
         add_route matcher
       end
     end
 
@@ -121,11 +120,10 @@
             add_route_from_string v
           else
             add_route v
           end
 
-          action_variable = false
          when :to
            if string? v
              add_route_from_string v[1]
            elsif in_controller_block? and symbol? v
              add_route v
@@ -133,14 +131,10 @@
          end
         end
       end
     end
 
-    if action_variable
-      @tracker.routes[@current_controller] = :allow_all_actions
-    end
-
     @current_controller = nil unless in_controller_block?
     exp
   end
 
   def add_route_from_string value
@@ -167,13 +161,21 @@
           if string? v
             add_route_from_string v
           elsif in_controller_block? and symbol? v
             add_route v
           end
+        elsif action_route?(first_arg)
+          if hash? second_arg and controller_name = hash_access(second_arg, :controller)
+            loose_action(controller_name, exp.method)
+          end
         end
       end
     elsif string? first_arg
+      if first_arg.value.include? ':controller' and action_route?(first_arg) #Default routes
+        @tracker.routes[:allow_all_actions] = first_arg
+      end
+
       route = first_arg.value.split "/"
       if route.length != 2
         add_route route[0]
       else
         add_route route[1], route[0]
@@ -284,7 +286,20 @@
   def in_controller_block
     prev_block = @controller_block
     @controller_block = true
     yield
     @controller_block = prev_block
+  end
+
+  def action_route? arg
+    if string? arg
+      arg = arg.value
+    end
+
+    arg.is_a? String and (arg.include? ":action" or arg.include? "*action")
+  end
+
+  def loose_action controller_name, verb = "any"
+    self.current_controller = controller_name.value
+    @tracker.routes[@current_controller] = [:allow_all_actions, {:allow_verb => verb}]
   end
 end