Add test to ensure brakeman scans engines

test/apps/rails4_with_engines/Gemfile

+source 'https://rubygems.org'
+
+# Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
+gem 'rails', '4.0.0.beta1'
+
+gem 'sqlite3'
+
+# Gems used only for assets and not required
+# in production environments by default.
+group :assets do
+  gem 'sass-rails',   '~> 4.0.0.beta1'
+  gem 'coffee-rails', '~> 4.0.0.beta1'
+
+  # See https://github.com/sstephenson/execjs#readme for more supported runtimes
+  # gem 'therubyracer', platforms: :ruby
+
+  gem 'uglifier', '>= 1.0.3'
+end
+
+gem 'jquery-rails'
+
+# Turbolinks makes following links in your web application faster. Read more: https://github.com/rails/turbolinks
+gem 'turbolinks'
+
+# Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
+gem 'jbuilder', '~> 1.0.1'
+
+# To use ActiveModel has_secure_password
+# gem 'bcrypt-ruby', '~> 3.0.0'
+
+# Use unicorn as the app server
+# gem 'unicorn'
+
+# Deploy with Capistrano
+# gem 'capistrano', group: :development
+
+# To use debugger
+# gem 'debugger'

test/apps/rails4_with_engines/README.rdoc

+== README
+
+This README would normally document whatever steps are necessary to get the
+application up and running.
+
+Things you may want to cover:
+
+* Ruby version
+
+* System dependencies
+
+* Configuration
+
+* Database creation
+
+* Database initialization
+
+* How to run the test suite
+
+* Services (job queues, cache servers, search engines, etc.)
+
+* Deployment instructions
+
+* ...
+
+
+Please feel free to use a different markup language if you do not plan to run
+<tt>rake doc:app</tt>.

test/apps/rails4_with_engines/Rakefile

+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require File.expand_path('../config/application', __FILE__)
+
+Rails4::Application.load_tasks

test/apps/rails4_with_engines/app/assets/javascripts/application.js

+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or vendor/assets/javascripts of plugins, if any, can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file.
+//
+// WARNING: THE FIRST BLANK LINE MARKS THE END OF WHAT'S TO BE PROCESSED, ANY BLANK LINE SHOULD
+// GO AFTER THE REQUIRES BELOW.
+//
+//= require jquery
+//= require jquery_ujs
+//= require turbolinks
+//= require_tree .

test/apps/rails4_with_engines/app/assets/stylesheets/application.css

+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or vendor/assets/stylesheets of plugins, if any, can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the top of the
+ * compiled file, but it's generally better to create a new file per style scope.
+ *
+ *= require_self
+ *= require_tree .
+ */

test/apps/rails4_with_engines/app/controllers/application_controller.rb

+class ApplicationController < ActionController::Base
+  # Prevent CSRF attacks by raising an exception.
+  # For APIs, you may want to use :null_session instead.
+  protect_from_forgery with: :exception
+end

test/apps/rails4_with_engines/app/helpers/application_helper.rb

+module ApplicationHelper
+end

test/apps/rails4_with_engines/app/views/layouts/application.html.erb

+<!DOCTYPE html>
+<html>
+<head>
+  <title>Rails4</title>
+  <%= stylesheet_link_tag    "application", media: "all", "data-turbolinks-track" => true %>
+  <%= javascript_include_tag "application", "data-turbolinks-track" => true %>
+  <%= csrf_meta_tags %>
+</head>
+<body>
+
+<%= yield %>
+
+</body>
+</html>

test/apps/rails4_with_engines/bin/bundle

+#!/usr/bin/env ruby
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+load Gem.bin_path('bundler', 'bundle')

test/apps/rails4_with_engines/bin/rails

+#!/usr/bin/env ruby
+APP_PATH = File.expand_path('../../config/application',  __FILE__)
+require_relative '../config/boot'
+require 'rails/commands'

test/apps/rails4_with_engines/bin/rake

+#!/usr/bin/env ruby
+require_relative '../config/boot'
+require 'rake'
+Rake.application.run

test/apps/rails4_with_engines/config.ru

+# This file is used by Rack-based servers to start the application.
+
+require ::File.expand_path('../config/environment',  __FILE__)
+run Rails4::Application

test/apps/rails4_with_engines/config/application.rb

+require File.expand_path('../boot', __FILE__)
+
+require 'rails/all'
+
+# Assets should be precompiled for production (so we don't need the gems loaded then)
+Bundler.require(*Rails.groups(assets: %w(development test)))
+
+module Rails4
+  class Application < Rails::Application
+    # Settings in config/environments/* take precedence over those specified here.
+    # Application configuration should go into files in config/initializers
+    # -- all .rb files in that directory are automatically loaded.
+
+    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
+    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
+    # config.time_zone = 'Central Time (US & Canada)'
+
+    # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
+    # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
+    # config.i18n.default_locale = :de
+  end
+end

test/apps/rails4_with_engines/config/boot.rb

+# Set up gems listed in the Gemfile.
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+
+require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])

test/apps/rails4_with_engines/config/database.yml

+# SQLite version 3.x
+#   gem install sqlite3
+#
+#   Ensure the SQLite 3 gem is defined in your Gemfile
+#   gem 'sqlite3'
+development:
+  adapter: sqlite3
+  database: db/development.sqlite3
+  pool: 5
+  timeout: 5000
+
+# Warning: The database defined as "test" will be erased and
+# re-generated from your development database when you run "rake".
+# Do not set this db to the same as development or production.
+test:
+  adapter: sqlite3
+  database: db/test.sqlite3
+  pool: 5
+  timeout: 5000
+
+production:
+  adapter: sqlite3
+  database: db/production.sqlite3
+  pool: 5
+  timeout: 5000

test/apps/rails4_with_engines/config/environment.rb

+# Load the rails application.
+require File.expand_path('../application', __FILE__)
+
+# Initialize the rails application.
+Rails4::Application.initialize!

test/apps/rails4_with_engines/config/environments/development.rb

+Rails4::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # In the development environment your application's code is reloaded on
+  # every request. This slows down response time but is perfect for development
+  # since you don't have to restart the web server when you make code changes.
+  config.cache_classes = false
+
+  # Do not eager load code on boot.
+  config.eager_load = false
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Don't care if the mailer can't send.
+  config.action_mailer.raise_delivery_errors = false
+
+  # Print deprecation notices to the Rails logger.
+  config.active_support.deprecation = :log
+
+  # Raise an error on page load if there are pending migrations
+  config.active_record.migration_error = :page_load
+
+  # Debug mode disables concatenation and preprocessing of assets.
+  config.assets.debug = true
+end

test/apps/rails4_with_engines/config/environments/production.rb

+Rails4::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # Code is not reloaded between requests.
+  config.cache_classes = true
+
+  # Eager load code on boot. This eager loads most of Rails and
+  # your application in memory, allowing both thread web servers
+  # and those relying on copy on write to perform better.
+  # Rake tasks automatically ignore this option for performance.
+  config.eager_load = true
+
+  # Full error reports are disabled and caching is turned on.
+  config.consider_all_requests_local       = false
+  config.action_controller.perform_caching = true
+
+  # Enable Rack::Cache to put a simple HTTP cache in front of your application
+  # Add `rack-cache` to your Gemfile before enabling this.
+  # For large-scale production use, consider using a caching reverse proxy like nginx, varnish or squid.
+  # config.action_dispatch.rack_cache = true
+
+  # Disable Rails's static asset server (Apache or nginx will already do this).
+  config.serve_static_assets = false
+
+  # Compress JavaScripts and CSS.
+  config.assets.js_compressor  = :uglifier
+  # config.assets.css_compressor = :sass
+
+  # Whether to fallback to assets pipeline if a precompiled asset is missed.
+  config.assets.compile = false
+
+  # Generate digests for assets URLs.
+  config.assets.digest = true
+
+  # Version of your assets, change this if you want to expire all your assets.
+  config.assets.version = '1.0'
+
+  # Specifies the header that your server uses for sending files.
+  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
+  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
+
+  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
+  # config.force_ssl = true
+
+  # Set to :debug to see everything in the log.
+  config.log_level = :info
+
+  # Prepend all log lines with the following tags.
+  # config.log_tags = [ :subdomain, :uuid ]
+
+  # Use a different logger for distributed setups.
+  # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
+
+  # Use a different cache store in production.
+  # config.cache_store = :mem_cache_store
+
+  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
+  # config.action_controller.asset_host = "http://assets.example.com"
+
+  # Precompile additional assets.
+  # application.js, application.css, and all non-JS/CSS in app/assets folder are already added.
+  # config.assets.precompile += %w( search.js )
+
+  # Ignore bad email addresses and do not raise email delivery errors.
+  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
+  # config.action_mailer.raise_delivery_errors = false
+
+  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
+  # the I18n.default_locale when a translation can not be found).
+  config.i18n.fallbacks = true
+
+  # Send deprecation notices to registered listeners.
+  config.active_support.deprecation = :notify
+
+  # Disable automatic flushing of the log to improve performance.
+  # config.autoflush_log = false
+
+  # Use default logging formatter so that PID and timestamp are not suppressed.
+  config.log_formatter = ::Logger::Formatter.new
+end

test/apps/rails4_with_engines/config/environments/test.rb

+Rails4::Application.configure do
+  # Settings specified here will take precedence over those in config/application.rb.
+
+  # The test environment is used exclusively to run your application's
+  # test suite. You never need to work with it otherwise. Remember that
+  # your test database is "scratch space" for the test suite and is wiped
+  # and recreated between test runs. Don't rely on the data there!
+  config.cache_classes = true
+
+  # Do not eager load code on boot. This avoids loading your whole application
+  # just for the purpose of running a single test. If you are using a tool that
+  # preloads Rails for running tests, you may have to set it to true.
+  config.eager_load = false
+
+  # Configure static asset server for tests with Cache-Control for performance.
+  config.serve_static_assets = true
+  config.static_cache_control = "public, max-age=3600"
+
+  # Show full error reports and disable caching.
+  config.consider_all_requests_local       = true
+  config.action_controller.perform_caching = false
+
+  # Raise exceptions instead of rendering exception templates.
+  config.action_dispatch.show_exceptions = false
+
+  # Disable request forgery protection in test environment.
+  config.action_controller.allow_forgery_protection = false
+
+  # Tell Action Mailer not to deliver emails to the real world.
+  # The :test delivery method accumulates sent emails in the
+  # ActionMailer::Base.deliveries array.
+  config.action_mailer.delivery_method = :test
+
+  # Print deprecation notices to the stderr.
+  config.active_support.deprecation = :stderr
+end

test/apps/rails4_with_engines/config/initializers/backtrace_silencers.rb

+# Be sure to restart your server when you modify this file.
+
+# You can add backtrace silencers for libraries that you're using but don't wish to see in your backtraces.
+# Rails.backtrace_cleaner.add_silencer { |line| line =~ /my_noisy_library/ }
+
+# You can also remove all the silencers if you're trying to debug a problem that might stem from framework code.
+# Rails.backtrace_cleaner.remove_silencers!

test/apps/rails4_with_engines/config/initializers/filter_parameter_logging.rb

+# Be sure to restart your server when you modify this file.
+
+# Configure sensitive parameters which will be filtered from the log file.
+Rails.application.config.filter_parameters += [:password]

test/apps/rails4_with_engines/config/initializers/inflections.rb

+# Be sure to restart your server when you modify this file.
+
+# Add new inflection rules using the following format. Inflections
+# are locale specific, and you may define rules for as many different
+# locales as you wish. All of these examples are active by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.plural /^(ox)$/i, '\1en'
+#   inflect.singular /^(ox)en/i, '\1'
+#   inflect.irregular 'person', 'people'
+#   inflect.uncountable %w( fish sheep )
+# end
+
+# These inflection rules are supported but not enabled by default:
+# ActiveSupport::Inflector.inflections(:en) do |inflect|
+#   inflect.acronym 'RESTful'
+# end

test/apps/rails4_with_engines/config/initializers/mime_types.rb

+# Be sure to restart your server when you modify this file.
+
+# Add new mime types for use in respond_to blocks:
+# Mime::Type.register "text/richtext", :rtf
+# Mime::Type.register_alias "text/html", :iphone

test/apps/rails4_with_engines/config/initializers/secret_token.rb

+# Be sure to restart your server when you modify this file.
+
+# Your secret key for verifying the integrity of signed cookies.
+# If you change this key, all old signed cookies will become invalid!
+
+# Make sure the secret is at least 30 characters and all random,
+# no regular words or you'll be exposed to dictionary attacks.
+# You can use `rake secret` to generate a secure secret key.
+
+# Make sure your secret_key_base is kept private
+# if you're sharing your code publicly.
+Rails4::Application.config.secret_key_base = '3d90f727dcc14992232b9461fac5d31cf2bc184854e0afd90ae67e0ae48f22b676ee2529c84d4c23bc2a9c7be6eeefcf202b91ccb8d04e7b87a85c852f6784d6'

test/apps/rails4_with_engines/config/initializers/session_store.rb

+# Be sure to restart your server when you modify this file.
+
+Rails4::Application.config.session_store :encrypted_cookie_store, key: '_rails4_session'

test/apps/rails4_with_engines/config/initializers/wrap_parameters.rb

+# Be sure to restart your server when you modify this file.
+
+# This file contains settings for ActionController::ParamsWrapper which
+# is enabled by default.
+
+# Enable parameter wrapping for JSON. You can disable this by setting :format to an empty array.
+ActiveSupport.on_load(:action_controller) do
+  wrap_parameters format: [:json] if respond_to?(:wrap_parameters)
+end
+
+# To enable root element in JSON for ActiveRecord objects.
+# ActiveSupport.on_load(:active_record) do
+#  self.include_root_in_json = true
+# end

test/apps/rails4_with_engines/config/locales/en.yml

+# Files in the config/locales directory are used for internationalization
+# and are automatically loaded by Rails. If you want to use locales other
+# than English, add the necessary files in this directory.
+#
+# To use the locales, use `I18n.t`:
+#
+#     I18n.t 'hello'
+#
+# In views, this is aliased to just `t`:
+#
+#     <%= t('hello') %>
+#
+# To use a different locale, set it with `I18n.locale`:
+#
+#     I18n.locale = :es
+#
+# This would use the information in config/locales/es.yml.
+#
+# To learn more, please read the Rails Internationalization guide
+# available at http://guides.rubyonrails.org/i18n.html.
+
+en:
+  hello: "Hello world"

test/apps/rails4_with_engines/config/routes.rb

+Rails4::Application.routes.draw do
+  # The priority is based upon order of creation: first created -> highest priority.
+  # See how all your routes lay out with "rake routes".
+
+  # You can have the root of your site routed with "root"
+  # root to: 'welcome#index'
+
+  # Example of regular route:
+  #   get 'products/:id' => 'catalog#view'
+
+  # Example of named route that can be invoked with purchase_url(id: product.id)
+  #   get 'products/:id/purchase' => 'catalog#purchase', as: :purchase
+
+  # Example resource route (maps HTTP verbs to controller actions automatically):
+  #   resources :products
+
+  # Example resource route with options:
+  #   resources :products do
+  #     member do
+  #       get 'short'
+  #       post 'toggle'
+  #     end
+  #
+  #     collection do
+  #       get 'sold'
+  #     end
+  #   end
+
+  # Example resource route with sub-resources:
+  #   resources :products do
+  #     resources :comments, :sales
+  #     resource :seller
+  #   end
+
+  # Example resource route with more complex sub-resources:
+  #   resources :products do
+  #     resources :comments
+  #     resources :sales do
+  #       get 'recent', on: :collection
+  #     end
+  #   end
+
+  # Example resource route within a namespace:
+  #   namespace :admin do
+  #     # Directs /admin/products/* to Admin::ProductsController
+  #     # (app/controllers/admin/products_controller.rb)
+  #     resources :products
+  #   end
+end

test/apps/rails4_with_engines/db/seeds.rb

+# This file should contain all the record creation needed to seed the database with its default values.
+# The data can then be loaded with the rake db:seed (or created alongside the db with db:setup).
+#
+# Examples:
+#
+#   cities = City.create([{ name: 'Chicago' }, { name: 'Copenhagen' }])
+#   Mayor.create(name: 'Emanuel', city: cities.first)

test/apps/rails4_with_engines/engines/user_removal/app/assets/javascripts/users.js.coffee

+# Place all the behaviors and hooks related to the matching controller here.
+# All this logic will automatically be available in application.js.
+# You can use CoffeeScript in this file: http://jashkenas.github.com/coffee-script/

test/apps/rails4_with_engines/engines/user_removal/app/assets/stylesheets/users.css.scss

+// Place all the styles related to the Users controller here.
+// They will automatically be included in application.css.
+// You can use Sass (SCSS) here: http://sass-lang.com/

test/apps/rails4_with_engines/engines/user_removal/app/controllers/removal_controller.rb

+class RemovalController < ApplicationController
+  def change_lines
+    <<-X
+    this
+    method
+    is
+    here
+    for line
+    numbers
+    X
+  end
+
+  def remove_this
+    redirect_to params[:url]
+  end
+
+  def remove_this_too
+    @some_input = raw params[:input]
+    @some_other_input = Account.first.name
+
+    render 'removal/controller_removed'
+  end
+
+  def implicit_render
+    @bad_stuff = raw params[:bad_stuff]
+  end
+end

test/apps/rails4_with_engines/engines/user_removal/app/controllers/users_controller.rb

+class UsersController < ApplicationController
+  include UserControllerMixin
+
+  # GET /users
+  # GET /users.json
+  def index
+    @users = User.all
+
+    respond_to do |format|
+      format.html # index.html.erb
+      format.json { render :json => @users }
+    end
+  end
+
+  # GET /users/1
+  # GET /users/1.json
+  def show
+    @user = User.find(params[:id])
+    @user_data = raw params[:user_data]
+
+    respond_to do |format|
+      format.html # show.html.erb
+      format.json { render :json => @user }
+    end
+  end
+
+  # GET /users/new
+  # GET /users/new.json
+  def new
+    @user = User.new
+
+    respond_to do |format|
+      format.html # new.html.erb
+      format.json { render :json => @user }
+    end
+  end
+
+  # GET /users/1/edit
+  def edit
+    @user = User.find(params[:id])
+  end
+
+  # POST /users
+  # POST /users.json
+  def create
+    @user = User.new(params[:user])
+
+    respond_to do |format|
+      if @user.save
+        format.html { redirect_to @user, :notice => 'User was successfully created.' }
+        format.json { render :json => @user, :status => :created, :location => @user }
+      else
+        format.html { render :action => "new" }
+        format.json { render :json => @user.errors, :status => :unprocessable_entity }
+      end
+    end
+  end
+
+  # PUT /users/1
+  # PUT /users/1.json
+  def update
+    @user = User.find(params[:id])
+
+    respond_to do |format|
+      if @user.update_attributes(params[:user])
+        format.html { redirect_to @user, :notice => 'User was successfully updated.' }
+        format.json { head :no_content }
+      else
+        format.html { render :action => "edit" }
+        format.json { render :json => @user.errors, :status => :unprocessable_entity }
+      end
+    end
+  end
+
+  # DELETE /users/1
+  # DELETE /users/1.json
+  def destroy
+    @user = User.find(params[:id])
+    @user.destroy
+
+    respond_to do |format|
+      format.html { redirect_to users_url }
+      format.json { head :no_content }
+    end
+  end
+
+  def slimming
+    @user = User.find(params[:id])
+    @query = params[:query]
+  end
+end

test/apps/rails4_with_engines/engines/user_removal/app/helpers/application_helper.rb

+module ApplicationHelper
+end

test/apps/rails4_with_engines/engines/user_removal/app/helpers/users_helper.rb

+module UsersHelper
+end

test/apps/rails4_with_engines/engines/user_removal/app/models/account.rb

+class Account < ActiveRecord::Base
+  attr_accessible :plan_id, :banned 
+end

test/apps/rails4_with_engines/engines/user_removal/app/models/no_protection.rb

+class NoProtection < ActiveRecord::Base
+  # Leave this class empty for Rescanner tests
+end

test/apps/rails4_with_engines/engines/user_removal/app/models/user.rb

+class User < ActiveRecord::Base
+  attr_accessible :bio, :name, :account_id, :admin, :status_id 
+end

test/apps/rails4_with_engines/engines/user_removal/app/views/removal/_partial.html.erb

+<%= raw @some_other_input %>

test/apps/rails4_with_engines/engines/user_removal/app/views/removal/controller_removed.html.erb

+<%= @some_input %>
+
+<%= render 'partial' %>

test/apps/rails4_with_engines/engines/user_removal/app/views/removal/implicit_render.html.erb

+
+<%= @bad_stuff %>

test/apps/rails4_with_engines/engines/user_removal/app/views/users/_form.html.erb

+You: <span><%= about %></span>
+
+<%= form_for(@user) do |f| %>
+  <% if @user.errors.any? %>
+    <div id="error_explanation">
+      <h2><%= pluralize(@user.errors.count, "error") %> prohibited this user from being saved:</h2>
+
+      <ul>
+      <% @user.errors.full_messages.each do |msg| %>
+        <li><%= msg %></li>
+      <% end %>
+      </ul>
+    </div>
+  <% end %>
+
+  <div class="field">
+    <%= f.label :name %><br />
+    <%= f.text_field :name %>
+  </div>
+  <div class="field">
+    <%= f.label :bio %><br />
+    <%= f.text_field :bio %>
+  </div>
+  <div class="actions">
+    <%= f.submit %>
+  </div>
+<% end %>

test/apps/rails4_with_engines/engines/user_removal/app/views/users/_slimmer.html.slim

+- if some_value
+  div
+    = params[:escaped]
+- else
+  span
+    == params[:unescaped]
+
+p== @user.profile
+
+- if x
+  = params[:unescaped]
+- else
+  = params[:escaped]
+

test/apps/rails4_with_engines/engines/user_removal/app/views/users/edit.html.erb

+<h1>Editing user</h1>
+
+<%= render 'form', :locals => { :about => raw(@user.bio) } %>
+
+<%= link_to 'Show', @user %> |
+<%= link_to 'Back', users_path %>

test/apps/rails4_with_engines/engines/user_removal/app/views/users/index.html.erb

+<h1>Listing users</h1>
+
+<table>
+  <tr>
+    <th>Name</th>
+    <th>Bio</th>
+    <th></th>
+    <th></th>
+    <th></th>
+  </tr>
+
+<% @users.each do |user| %>
+  <tr>
+    <td><%= user.name %></td>
+    <td><%= user.bio %></td>
+    <td><%= link_to 'Show', user %></td>
+    <td><%= link_to 'Edit', edit_user_path(user) %></td>
+    <td><%= link_to 'Destroy', user, :method => :delete, :data => { :confirm => 'Are you sure?' } %></td>
+  </tr>
+<% end %>
+</table>
+
+<br />
+
+<%= link_to 'New User', new_user_path %>

test/apps/rails4_with_engines/engines/user_removal/app/views/users/mixed_in.html.erb

+<%= raw @user.something %>

test/apps/rails4_with_engines/engines/user_removal/app/views/users/new.html.erb

+<h1>New user</h1>
+
+<%= render 'form' %>
+
+<%= link_to 'Back', users_path %>

test/apps/rails4_with_engines/engines/user_removal/app/views/users/sanitized.html.erb

+<style>
+  <%= sanitize_css params[:css] %>
+</style>

test/apps/rails4_with_engines/engines/user_removal/app/views/users/show.html.erb

+<p id="notice"><%= notice %></p>
+
+<p>
+  <b>Name:</b>
+  <%= @user.name %>
+</p>
+
+<p>
+  <b>Bio:</b>
+  <%= @user.bio %>
+</p>
+
+<p>
+  <b>Other Thing:</b>
+  <%= @user_data %>
+</p>
+
+
+<%= link_to 'Edit', edit_user_path(@user) %> |
+<%= link_to 'Back', users_path %>
+
+<script>
+  var thing = <%= raw params.to_json %>;
+</script>

test/apps/rails4_with_engines/engines/user_removal/app/views/users/slimming.html.slim

+#content
+  .container
+    h2 Search for: #{{@query}}
+    p== @user.name
+
+  == render 'slimmer'

test/apps/rails4_with_engines/engines/user_removal/config/routes.rb

+Rails32::Application.routes.draw do
+  resources :users do
+    get 'mixed_in'
+  end
+  
+  match 'remove' => 'removal#remove_this_too'
+  match 'implicit' => 'removal#implicit_render'
+
+  # The priority is based upon order of creation:
+  # first created -> highest priority.
+
+  # Sample of regular route:
+  #   match 'products/:id' => 'catalog#view'
+  # Keep in mind you can assign values other than :controller and :action
+
+  # Sample of named route:
+  #   match 'products/:id/purchase' => 'catalog#purchase', :as => :purchase
+  # This route can be invoked with purchase_url(:id => product.id)
+
+  # Sample resource route (maps HTTP verbs to controller actions automatically):
+  #   resources :products
+
+  # Sample resource route with options:
+  #   resources :products do
+  #     member do
+  #       get 'short'
+  #       post 'toggle'
+  #     end
+  #
+  #     collection do
+  #       get 'sold'
+  #     end
+  #   end
+
+  # Sample resource route with sub-resources:
+  #   resources :products do
+  #     resources :comments, :sales
+  #     resource :seller
+  #   end
+
+  # Sample resource route with more complex sub-resources
+  #   resources :products do
+  #     resources :comments
+  #     resources :sales do
+  #       get 'recent', :on => :collection
+  #     end
+  #   end
+
+  # Sample resource route within a namespace:
+  #   namespace :admin do
+  #     # Directs /admin/products/* to Admin::ProductsController
+  #     # (app/controllers/admin/products_controller.rb)
+  #     resources :products
+  #   end
+
+  # You can have the root of your site routed with "root"
+  # just remember to delete public/index.html.
+  # root :to => 'welcome#index'
+
+  # See how all your routes lay out with "rake routes"
+
+  # This is a legacy wild controller route that's not recommended for RESTful applications.
+  # Note: This route will make all actions in every controller accessible via GET requests.
+  # match ':controller(/:action(/:id))(.:format)'
+end

test/apps/rails4_with_engines/engines/user_removal/lib/user_removal.rb

+module UserRemoval
+  class Engine < Rails::Engine
+
+    initializer :assets do |config|
+      Rails.application.config.assets.precompile += Dir.glob(root.join('app/assets/stylesheets/**/*.css*')).collect {|f| f.gsub(%r{.*/app/assets/stylesheets/}, "").gsub(/\.css.*/, '.css') }
+      Rails.application.config.assets.precompile += Dir.glob(root.join('app/assets/javascripts/**/*.js')).collect {|f| f.gsub(%r{.*/app/assets/javascripts/}, "") }
+    end
+  end
+end

test/apps/rails4_with_engines/public/404.html

+<!DOCTYPE html>
+<html>
+<head>
+  <title>The page you were looking for doesn't exist (404)</title>
+  <style>
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/404.html -->
+  <div class="dialog">
+    <h1>The page you were looking for doesn't exist.</h1>
+    <p>You may have mistyped the address or the page may have moved.</p>
+  </div>
+  <p>If you are the application owner check the logs for more information.</p>
+</body>
+</html>

test/apps/rails4_with_engines/public/422.html

+<!DOCTYPE html>
+<html>
+<head>
+  <title>The change you wanted was rejected (422)</title>
+  <style>
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/422.html -->
+  <div class="dialog">
+    <h1>The change you wanted was rejected.</h1>
+    <p>Maybe you tried to change something you didn't have access to.</p>
+  </div>
+</body>
+</html>

test/apps/rails4_with_engines/public/500.html

+<!DOCTYPE html>
+<html>
+<head>
+  <title>We're sorry, but something went wrong (500)</title>
+  <style>
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/500.html -->
+  <div class="dialog">
+    <h1>We're sorry, but something went wrong.</h1>
+  </div>
+  <p>If you are the application owner check the logs for more information.</p>
+</body>
+</html>

test/apps/rails4_with_engines/public/robots.txt

+# See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file
+#
+# To ban all spiders from the entire site uncomment the next two lines:
+# User-agent: *
+# Disallow: /

test/apps/rails4_with_engines/test/test_helper.rb

+ENV["RAILS_ENV"] = "test"
+require File.expand_path('../../config/environment', __FILE__)
+require 'rails/test_help'
+
+class ActiveSupport::TestCase
+  ActiveRecord::Migration.check_pending!
+
+  # Setup all fixtures in test/fixtures/*.yml for all tests in alphabetical order.
+  #
+  # Note: You'll currently still have to declare fixtures explicitly in integration tests
+  # -- they do not yet inherit this setting
+  fixtures :all
+
+  # Add more helper methods to be used by all tests here...
+end

test/tests/rails4_with_engines.rb

+abort "Please run using test/test.rb" unless defined? BrakemanTester
+
+Rails4WithEngines = BrakemanTester.run_scan "rails4_with_engines", "Rails4WithEngines"
+
+class Rails4WithEnginesTests < Test::Unit::TestCase
+  include BrakemanTester::FindWarning
+  include BrakemanTester::CheckExpected
+
+  def expected
+    @expected ||= {
+      :controller => 0,
+      :model => 5,
+      :template => 9,
+      :generic => 2 }
+  end
+
+  def report
+    Rails4WithEngines
+  end
+
+  def test_redirect_1
+    assert_warning :type => :generic,
+      :warning_code => 18,
+      :fingerprint => "6d27826e07e583ba9c6ae1f33843089fd1d8b1a2c359e00bf636e64a85a47feb",
+      :warning_type => "Redirect",
+      :line => 14,
+      :message => /^Possible\ unprotected\ redirect/,
+      :confidence => 0,
+      :relative_path => "engines/user_removal/app/controllers/removal_controller.rb"
+  end
+
+  def test_session_setting_2
+    assert_warning :type => :generic,
+      :warning_code => 29,
+      :fingerprint => "715ad9c0d76f57a6a657192574d528b620176a80fec969e2f63c88eacab0b984",
+      :warning_type => "Session Setting",
+      :line => 12,
+      :message => /^Session\ secret\ should\ not\ be\ included\ in/,
+      :confidence => 0,
+      :relative_path => "config/initializers/secret_token.rb"
+  end
+
+  def test_cross_site_scripting_3
+    assert_warning :type => :template,
+      :warning_code => 2,
+      :fingerprint => "598b957fea4a202a75e1d8101a8c21332b10b2c0e9ca4ffad6c18407bde6615d",
+      :warning_type => "Cross Site Scripting",
+      :line => 1,
+      :message => /^Unescaped\ model\ attribute/,
+      :confidence => 0,
+      :relative_path => "engines/user_removal/app/views/removal/_partial.html.erb"
+  end
+
+  def test_cross_site_scripting_4
+    assert_warning :type => :template,
+      :warning_code => 2,
+      :fingerprint => "011d330ea62763eb61684cccc4169518b0876eadbab2b469e3526548f3da3795",
+      :warning_type => "Cross Site Scripting",
+      :line => 1,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 0,
+      :relative_path => "engines/user_removal/app/views/removal/controller_removed.html.erb"
+  end
+
+  def test_cross_site_scripting_5
+    assert_warning :type => :template,
+      :warning_code => 2,
+      :fingerprint => "26da712dc3289b873b7928b54bde6da038cbf891ec11076897e062f32939863e",
+      :warning_type => "Cross Site Scripting",
+      :line => 2,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 0,
+      :relative_path => "engines/user_removal/app/views/removal/implicit_render.html.erb"
+  end
+
+  def test_cross_site_scripting_6
+    assert_warning :type => :template,
+      :warning_code => 2,
+      :fingerprint => "52c513069319d44e03c5ac21806d47c1f05393fe35a5026314c8064f70ff0375",
+      :warning_type => "Cross Site Scripting",
+      :line => 1,
+      :message => /^Unescaped\ model\ attribute/,
+      :confidence => 0,
+      :relative_path => "engines/user_removal/app/views/users/_form.html.erb"
+  end
+
+  def test_cross_site_scripting_7
+    assert_warning :type => :template,
+      :warning_code => 2,
+      :fingerprint => "9d94ba6993f761ff688b5a8d428c793486cd8bf42f487a44d895a96f658dca50",
+      :warning_type => "Cross Site Scripting",
+      :line => 6,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 0,
+      :relative_path => "engines/user_removal/app/views/users/_slimmer.html.slim"
+  end
+
+  def test_cross_site_scripting_8
+    assert_warning :type => :template,
+      :warning_code => 2,
+      :fingerprint => "9d576795978cf6681a0cd17f7250ea267ab2ac7888dd5f6100331d5c0684beb3",
+      :warning_type => "Cross Site Scripting",
+      :line => 8,
+      :message => /^Unescaped\ model\ attribute/,
+      :confidence => 0,
+      :relative_path => "engines/user_removal/app/views/users/_slimmer.html.slim"
+  end
+
+  def test_cross_site_scripting_9
+    assert_warning :type => :template,
+      :warning_code => 2,
+      :fingerprint => "822a9a031ab38ae9e2b3580ce6eb28e6372852f289c9e65b347a9182c918d551",
+      :warning_type => "Cross Site Scripting",
+      :line => 15,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 0,
+      :relative_path => "engines/user_removal/app/views/users/show.html.erb"
+  end
+
+  def test_cross_site_scripting_10
+    assert_warning :type => :template,
+      :warning_code => 2,
+      :fingerprint => "aa06d3e4d8e00ccf6169d9293b1ef90365917c46fa21678d248494f7767d1d15",
+      :warning_type => "Cross Site Scripting",
+      :line => 3,
+      :message => /^Unescaped\ parameter\ value/,
+      :confidence => 0,
+      :relative_path => "engines/user_removal/app/views/users/slimming.html.slim"
+  end
+
+  def test_cross_site_scripting_11
+    assert_warning :type => :template,
+      :warning_code => 2,
+      :fingerprint => "6628d5e2059d14b31e7c37251ac7380ddbe44e937d78d4e955763d5d53df08fc",
+      :warning_type => "Cross Site Scripting",
+      :line => 4,
+      :message => /^Unescaped\ model\ attribute/,
+      :confidence => 0,
+      :relative_path => "engines/user_removal/app/views/users/slimming.html.slim"
+  end
+
+  def test_mass_assignment_12
+    assert_warning :type => :model,
+      :warning_code => 60,
+      :fingerprint => "18df17e4364b62c4ba1c6e2849f8302592c68d196ab43f753639f9043c1e4014",
+      :warning_type => "Mass Assignment",
+      #noline,
+      :message => /^Potentially\ dangerous\ attribute\ 'plan_id/,
+      :confidence => 2,
+      :relative_path => "engines/user_removal/app/models/account.rb"
+  end
+
+  def test_mass_assignment_13
+    assert_warning :type => :model,
+      :warning_code => 60,
+      :fingerprint => "e2fb5b0d650caf257ef86e32b101f9488738388e91039cc130c365a8df9b83fb",
+      :warning_type => "Mass Assignment",
+      #noline,
+      :message => /^Potentially\ dangerous\ attribute\ 'banned'/,
+      :confidence => 1,
+      :relative_path => "engines/user_removal/app/models/account.rb"
+  end
+
+  def test_mass_assignment_14
+    assert_warning :type => :model,
+      :warning_code => 60,
+      :fingerprint => "6276c85369c13ed06f18ca1dd9a7ef076077154e98f0c29b7938b5649a7d115d",
+      :warning_type => "Mass Assignment",
+      #noline,
+      :message => /^Potentially\ dangerous\ attribute\ 'account/,
+      :confidence => 0,
+      :relative_path => "engines/user_removal/app/models/user.rb"
+  end
+
+  def test_mass_assignment_15
+    assert_warning :type => :model,
+      :warning_code => 60,
+      :fingerprint => "6276c85369c13ed06f18ca1dd9a7ef076077154e98f0c29b7938b5649a7d115d",
+      :warning_type => "Mass Assignment",
+      #noline,
+      :message => /^Potentially\ dangerous\ attribute\ 'admin'\ /,
+      :confidence => 0,
+      :relative_path => "engines/user_removal/app/models/user.rb"
+  end
+
+  def test_mass_assignment_16
+    assert_warning :type => :model,
+      :warning_code => 60,
+      :fingerprint => "6fd655a6dcf618e378d5f7e7b3a9c038ed9b29d66ab89f9c28343265b2ff6d75",
+      :warning_type => "Mass Assignment",
+      #noline,
+      :message => /^Potentially\ dangerous\ attribute\ 'status_/,
+      :confidence => 2,
+      :relative_path => "engines/user_removal/app/models/user.rb"
+  end
+
+end