Only treat public methods as routes

lib/brakeman/processors/controller_alias_processor.rb

@@ -201,10 +201,24 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
 
   #Returns true if the given method name is also a route
   def route? method
-    return true if @tracker.routes[:allow_all_actions] or @tracker.options[:assume_all_routes]
+    if @tracker.routes[:allow_all_actions] or @tracker.options[:assume_all_routes]
+      public_method? method
+    else
       routes = @tracker.routes[@current_class]
       routes and (routes == :allow_all_actions or routes.include? method)
     end
+  end
+
+  def public_method? method
+    controller = @tracker.controllers[@current_class]
+
+    if controller
+      controller[:public][method]
+    else
+      #Assume it is a public method but Brakeman messed up somewhere
+      true
+    end
+  end
 
   #Get list of filters, including those that are inherited
   def before_filter_list method, klass