brakeman 4.3.0 → 4.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b713c88d7aa856518beb948e7d39c0b43dda963378064d5a3126f9684d6d6a2d
-  data.tar.gz: 3ed9ad3b22f8196745f64019867776a6c09984d19fdcbe166046aadbbc4b545c
+  metadata.gz: b7912833fc9223bcc1cc51f6a167010c98efa8d7708d17cb885982b6abc9aff9
+  data.tar.gz: dbbb0d18b323adb38ed5477ae02150f9b87a5f7925720665c29f81642634621b
 SHA512:
-  metadata.gz: 90414d86f666acb334d05532d07b1edcf7cb90b8174e4682e06c6fd37c7063709043bf95767246f9529d897e0d39637a0088f2ce32fce1c1db78cd9040e38664
-  data.tar.gz: b3cdf474521d19cfc27cfd06d9168b3fc97284ff4ad6f73e2615c15099e93a84d0e90b24c185af5108c49b4fac07dae7acd3717f7f9e4f54f1dbd57f487cca17
+  metadata.gz: 4b4295ab0723815f53330abf5f83f302d497aea30b8a6d12859956c425e85cc2b1308bceed3b92083955c4cc17d3d1cae0023f182d8e7504ae2061dd30f5c272
+  data.tar.gz: 2b87b43e89e578da4ee186ae0c395bfe9f444784a4c19875f87a8f1f4bafba92e3d975f288779b873d3fa8811ae2cb5d15bfccb8b9695e696c0640fac80c8030

data/CHANGES.md

@@ -1,3 +1,16 @@
+# 4.3.1
+
+* Ignore `Object#freeze`, use the target instead
+* Ignore `foreign_key` calls in SQL
+* Handle `included` calls outside of classes/modules
+* Add `:BRAKEMAN_SAFE_LITERAL` to represent known-safe literals
+* Handle `Array#map` and `Array#each` over literal arrays
+* Use safe literal when accessing literal hash with unknown key
+* Avoid deprecated use of ERB in Ruby 2.6 (Koichi ITO)
+* Allow `symbolize_keys` to be called on `params` in SQL (Jacob Evelyn)
+* Improve handling of conditionals in shell commands (Jacob Evenlyn)
+* Fix error when setting line number in implicit renders
+
 # 4.3.0
 
 * Check exec-type calls even if they are targets

data/README.md

@@ -82,9 +82,9 @@ If Brakeman is running a bit slow, try
 
 This will disable some features, but will probably be much faster (currently it is the same as `--skip-libs --no-branching`). *WARNING*: This may cause Brakeman to miss some vulnerabilities.
 
-By default, Brakeman will return 0 as an exit code unless something went very wrong. To return an error code when warnings were found:
+By default, Brakeman will return a non-zero exit code if any security warnings are found or scanning errors are encountered. To disable this:
 
-    brakeman -z
+    brakeman --no-exit-on-warn --no-exit-on-error
 
 To skip certain files or directories that Brakeman may have trouble parsing, use:
 

data/bundle/load.rb

@@ -10,6 +10,6 @@ $:.unshift "#{path}/bundle/ruby/2.5.0/gems/ruby_parser-3.11.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.5.0/gems/sexp_processor-4.11.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.5.0/gems/ruby2ruby-2.4.1/lib"
 $:.unshift "#{path}/bundle/ruby/2.5.0/gems/slim-3.0.7/lib"
-$:.unshift "#{path}/bundle/ruby/2.5.0/gems/unicode-display_width-1.3.2/lib"
+$:.unshift "#{path}/bundle/ruby/2.5.0/gems/unicode-display_width-1.4.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.5.0/gems/erubis-2.7.0/lib"
 $:.unshift "#{path}/bundle/ruby/2.5.0/gems/safe_yaml-1.0.4/lib"

data/bundle/ruby/2.5.0/gems/{unicode-display_width-1.3.2 → unicode-display_width-1.4.0}/CHANGELOG.md

@@ -1,5 +1,14 @@
 # CHANGELOG
 
+## 1.4.0
+
+- Unicode 11
+
+## 1.3.3
+
+- Replace Gem::Util.gunzip with direct zlib implementation
+  This removes the dependency on rubygems, fixes #17
+
 ## 1.3.2
 
 - Explicitly load rubygems/util, fixes regression in 1.3.1 (autoload issue)

data/bundle/ruby/2.5.0/gems/{unicode-display_width-1.3.2 → unicode-display_width-1.4.0}/MIT-LICENSE.txt

@@ -1,6 +1,6 @@
 The MIT LICENSE
 
-Copyright (c) 2011, 2015-2017 Jan Lelis
+Copyright (c) 2011, 2015-2018 Jan Lelis
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/bundle/ruby/2.5.0/gems/{unicode-display_width-1.3.2 → unicode-display_width-1.4.0}/README.md

@@ -2,7 +2,11 @@
 
 Determines the monospace display width of a string in Ruby. Implementation based on [EastAsianWidth.txt](http://www.unicode.org/Public/UNIDATA/EastAsianWidth.txt) and other data, 100% in Ruby. Other than [wcwidth()](https://github.com/janlelis/wcswidth-ruby), which fulfills a similar purpose, it does not rely on the OS vendor to provide an up-to-date method for measuring string width.
 
-Unicode version: **10.0.0**
+Unicode version: **11.0.0**
+
+Supported Rubies: **2.5**, **2.4**, **2.3**
+
+Old Rubies that might still work: **2.2**, **2.1**, **2.0**, **1.9**
 
 ## Introduction to Character Widths
 
@@ -114,7 +118,7 @@ See [unicode-x](https://github.com/janlelis/unicode-x) for more Unicode related
 
 ## Copyright & Info
 
-- Copyright (c) 2011, 2015-2017 Jan Lelis, http://janlelis.com, released under the MIT
+- Copyright (c) 2011, 2015-2018 Jan Lelis, http://janlelis.com, released under the MIT
 license
 - Early versions based on runpaint's unicode-data interface: Copyright (c) 2009 Run Paint Run Run
 - Unicode data: http://www.unicode.org/copyright.html#Exhibit1

data/bundle/ruby/2.5.0/gems/{unicode-display_width-1.3.2 → unicode-display_width-1.4.0}/lib/unicode/display_width/constants.rb

@@ -1,7 +1,7 @@
 module Unicode
   module DisplayWidth
-    VERSION = '1.3.2'
-    UNICODE_VERSION = "10.0.0".freeze
+    VERSION = '1.4.0'
+    UNICODE_VERSION = "11.0.0".freeze
     DATA_DIRECTORY = File.expand_path(File.dirname(__FILE__) + '/../../../data/').freeze
     INDEX_FILENAME = (DATA_DIRECTORY + '/display_width.marshal.gz').freeze
   end

data/bundle/ruby/2.5.0/gems/unicode-display_width-1.4.0/lib/unicode/display_width/index.rb

@@ -0,0 +1,12 @@
+require 'zlib'
+require_relative 'constants'
+
+module Unicode
+  module DisplayWidth
+    File.open(INDEX_FILENAME, "rb") do |file|
+      serialized_data = Zlib::GzipReader.new(file).read
+      serialized_data.force_encoding Encoding::BINARY
+      INDEX = Marshal.load(serialized_data)
+    end
+  end
+end

data/lib/brakeman/checks/check_execute.rb

@@ -143,7 +143,13 @@ class Brakeman::CheckExecute < Brakeman::BaseCheck
       next if SAFE_VALUES.include? e
       next if shell_escape? e
 
-      if node_type? e, :or, :evstr, :dstr
+      if node_type? e, :if
+        # If we're in a conditional, evaluate the `then` and `else` clauses to
+        # see if they're dangerous.
+        if res = dangerous?(e.values[1..-1])
+          return res
+        end
+      elsif node_type? e, :or, :evstr, :dstr
         if res = dangerous?(e)
           return res
         end

data/lib/brakeman/checks/check_sql.rb

@@ -290,7 +290,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     end
 
     if request_value? arg
-      unless call? arg and params? arg.target and [:permit, :slice, :to_h, :to_hash].include? arg.method
+      unless call? arg and params? arg.target and [:permit, :slice, :to_h, :to_hash, :symbolize_keys].include? arg.method
         # Model.where(params[:where])
         arg
       end
@@ -404,6 +404,8 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
       nil
     elsif call? value and value.method == :to_s
       unsafe_string_interp? value.target
+    elsif call? value and safe_literal_target? value
+      nil
     else
       case value.node_type
       when :or
@@ -576,7 +578,7 @@ class Brakeman::CheckSQL < Brakeman::BaseCheck
     :sanitize_sql_for_assignment, :sanitize_sql_for_conditions, :sanitize_sql_hash,
     :sanitize_sql_hash_for_assignment, :sanitize_sql_hash_for_conditions,
     :to_sql, :sanitize, :primary_key, :table_name_prefix, :table_name_suffix,
-    :where_values_hash
+    :where_values_hash, :foreign_key
   ]
 
   def safe_value? exp

data/lib/brakeman/parsers/template_parser.rb

@@ -58,7 +58,11 @@ module Brakeman
         Brakeman::ScannerErubis.new(text, :filename => path).src
       else
         require 'erb'
-        src = ERB.new(text, nil, path).src
+        src = if ERB.instance_method(:initialize).parameters.assoc(:key) # Ruby 2.6+
+          ERB.new(text, trim_mode: path).src
+        else
+          ERB.new(text, nil, path).src
+        end
         src.sub!(/^#.*\n/, '') if Brakeman::Scanner::RUBY_1_9
         src
       end

data/lib/brakeman/processors/alias_processor.rb

@@ -2,6 +2,7 @@ require 'brakeman/util'
 require 'ruby_parser/bm_sexp_processor'
 require 'brakeman/processors/lib/processor_helper'
 require 'brakeman/processors/lib/safe_call_helper'
+require 'brakeman/processors/lib/call_conversion_helper'
 
 #Returns an s-expression with aliases replaced with their value.
 #This does not preserve semantics (due to side effects, etc.), but it makes
@@ -10,6 +11,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   include Brakeman::ProcessorHelper
   include Brakeman::SafeCallHelper
   include Brakeman::Util
+  include Brakeman::CallConversionHelper
 
   attr_reader :result, :tracker
 
@@ -122,7 +124,7 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     end
 
     if hash? t
-      if v = hash_access(t, exp.first_arg)
+      if v = process_hash_access(t, exp.first_arg)
         v.deep_clone(exp.line)
       else
         case t.node_type
@@ -202,49 +204,19 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     case method
     when :+
       if array? target and array? first_arg
-        joined = join_arrays target, first_arg
-        joined.line(exp.line)
-        exp = joined
+        exp = join_arrays(target, first_arg, exp)
       elsif string? first_arg
-        if string? target # "blah" + "blah"
-          joined = join_strings target, first_arg
-          joined.line(exp.line)
-          exp = joined
-        elsif call? target and target.method == :+ and string? target.first_arg
-          joined = join_strings target.first_arg, first_arg
-          joined.line(exp.line)
-          target.first_arg = joined
-          exp = target
-        end
+        exp = join_strings(target, first_arg, exp)
       elsif number? first_arg
-        if number? target
-          exp = Sexp.new(:lit, target.value + first_arg.value)
-        elsif call? target and target.method == :+ and number? target.first_arg
-          target.first_arg = Sexp.new(:lit, target.first_arg.value + first_arg.value)
-          exp = target
-        end
-      end
-    when :-
-      if number? target and number? first_arg
-        exp = Sexp.new(:lit, target.value - first_arg.value)
-      end
-    when :*
-      if number? target and number? first_arg
-        exp = Sexp.new(:lit, target.value * first_arg.value)
-      end
-    when :/
-      if number? target and number? first_arg
-        unless first_arg.value == 0 and not target.value.is_a? Float
-          exp = Sexp.new(:lit, target.value / first_arg.value)
-        end
+        exp = math_op(:+, target, first_arg, exp)
       end
+    when :-, :*, :/
+      exp = math_op(method, target, first_arg, exp)
     when :[]
       if array? target
-        temp_exp = process_array_access target, exp.args
-        exp = temp_exp if temp_exp
+        exp = process_array_access(target, exp.args, exp)
       elsif hash? target
-        temp_exp = process_hash_access target, first_arg
-        exp = temp_exp if temp_exp
+        exp = process_hash_access(target, first_arg, exp)
       end
     when :merge!, :update
       if hash? target and hash? first_arg
@@ -287,8 +259,8 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
         exp = target[1]
       end
     when :freeze
-      if string? target
-        exp = process exp.target
+      unless target.nil?
+        exp = target
       end
     when :join
       if array? target and target.length > 2 and (string? first_arg or first_arg.nil?)
@@ -364,28 +336,37 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     @exp_context.push exp
     exp[1] = process exp.block_call
     if array_detect_all_literals? exp[1]
-      return exp.block_call.target[1]
+      return safe_literal(exp.line)
     end
 
     @exp_context.pop
 
     env.scope do
-      exp.block_args.each do |e|
-        #Force block arg(s) to be local
-        if node_type? e, :lasgn
-          env.current[Sexp.new(:lvar, e.lhs)] = Sexp.new(:lvar, e.lhs)
-        elsif node_type? e, :kwarg
-          env.current[Sexp.new(:lvar, e[1])] = e[2]
-        elsif node_type? e, :masgn, :shadow
-          e[1..-1].each do |var|
-            local = Sexp.new(:lvar, var)
+      call = exp.block_call
+      block_args = exp.block_args
+
+      if call? call and [:each, :map].include? call.method and all_literals? call.target and block_args.length == 2 and block_args.last.is_a? Symbol
+        # Iterating over an array of all literal values
+        local = Sexp.new(:lvar, block_args.last)
+        env.current[local] = safe_literal(exp.line)
+      else
+        block_args.each do |e|
+          #Force block arg(s) to be local
+          if node_type? e, :lasgn
+            env.current[Sexp.new(:lvar, e.lhs)] = Sexp.new(:lvar, e.lhs)
+          elsif node_type? e, :kwarg
+            env.current[Sexp.new(:lvar, e[1])] = e[2]
+          elsif node_type? e, :masgn, :shadow
+            e[1..-1].each do |var|
+              local = Sexp.new(:lvar, var)
+              env.current[local] = local
+            end
+          elsif e.is_a? Symbol
+            local = Sexp.new(:lvar, e)
             env.current[local] = local
+          else
+            raise "Unexpected value in block args: #{e.inspect}"
           end
-        elsif e.is_a? Symbol
-          local = Sexp.new(:lvar, e)
-          env.current[local] = local
-        else
-          raise "Unexpected value in block args: #{e.inspect}"
         end
       end
 
@@ -715,18 +696,14 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
   def array_include_all_literals? exp
     call? exp and
     exp.method == :include? and
-    node_type? exp.target, :array and
-    exp.target.length > 1 and
-    exp.target.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+    all_literals? exp.target
   end
 
   def array_detect_all_literals? exp
     call? exp and
     [:detect, :find].include? exp.method and
-    node_type? exp.target, :array and
-    exp.target.length > 1 and
     exp.first_arg.nil? and
-    exp.target.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+    all_literals? exp.target
   end
 
   #Sets @inside_if = true
@@ -767,12 +744,12 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
             # set x to "a" inside the true branch
             var = condition.first_arg
             previous_value = env.current[var]
-            env.current[var] = condition.target[1]
+            env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch
             env.current[var] = previous_value
           elsif i == 1 and array_include_all_literals? condition and early_return? branch
             var = condition.first_arg
-            env.current[var] = condition.target[1]
+            env.current[var] = safe_literal(var.line)
             exp[branch_index] = process_if_branch branch
           else
             exp[branch_index] = process_if_branch branch
@@ -911,45 +888,6 @@ class Brakeman::AliasProcessor < Brakeman::SexpProcessor
     exp.or_depth >= @or_depth_limit
   end
 
-  #Process single integer access to an array.
-  #
-  #Returns the value inside the array, if possible.
-  def process_array_access target, args
-    if args.length == 1 and integer? args.first
-      index = args.first.value
-
-      #Have to do this because first element is :array and we have to skip it
-      target[1..-1][index]
-    else
-      nil
-    end
-  end
-
-  #Process hash access by returning the value associated
-  #with the given argument.
-  def process_hash_access target, index
-    hash_access(target, index)
-  end
-
-  #Join two array literals into one.
-  def join_arrays array1, array2
-    result = Sexp.new(:array)
-    result.concat array1[1..-1]
-    result.concat array2[1..-1]
-  end
-
-  #Join two string literals into one.
-  def join_strings string1, string2
-    result = Sexp.new(:str)
-    result.value = string1.value + string2.value
-
-    if result.value.length > 50
-      string1
-    else
-      result
-    end
-  end
-
   # Change x.send(:y, 1) to x.y(1)
   def collapse_send_call exp, first_arg
     # Handle try(&:id)

data/lib/brakeman/processors/controller_alias_processor.rb

@@ -179,8 +179,11 @@ class Brakeman::ControllerAliasProcessor < Brakeman::AliasProcessor
     # method as the line number
     if line.nil? and controller = @tracker.controllers[@current_class]
       if meth = controller.get_method(@current_method)
-        line = meth[:src] && meth[:src].last && meth[:src].last.line
-        line += 1
+        if line = meth[:src] && meth[:src].last && meth[:src].last.line
+          line += 1
+        else
+          line = 1
+        end
       end
     end
 

data/lib/brakeman/processors/lib/call_conversion_helper.rb

@@ -0,0 +1,90 @@
+module Brakeman
+  module CallConversionHelper
+    def all_literals? exp, expected_type = :array
+      node_type? exp, expected_type and
+        exp.length > 1 and
+        exp.all? { |e| e.is_a? Symbol or node_type? e, :lit, :str }
+    end
+
+    # Join two array literals into one.
+    def join_arrays lhs, rhs, original_exp = nil
+      if array? lhs and array? rhs
+        result = Sexp.new(:array).line(lhs.line)
+        result.concat lhs[1..-1]
+        result.concat rhs[1..-1]
+        result
+      else
+        original_exp
+      end
+    end
+
+    # Join two string literals into one.
+    def join_strings lhs, rhs, original_exp = nil
+      if string? lhs and string? rhs
+        result = Sexp.new(:str).line(lhs.line)
+        result.value = lhs.value + rhs.value
+
+        if result.value.length > 50
+          # Avoid gigantic strings
+          lhs
+        else
+          result
+        end
+      elsif call? lhs and lhs.method == :+ and string? lhs.first_arg and string? rhs
+        joined = join_strings lhs.first_arg, rhs
+        lhs.first_arg = joined
+        lhs
+      elsif safe_literal? lhs or safe_literal? rhs
+        safe_literal(lhs.line)
+      else
+        original_exp
+      end
+    end
+
+    def math_op op, lhs, rhs, original_exp = nil
+      if number? lhs and number? rhs
+        if op == :/ and rhs.value == 0 and not lhs.value.is_a? Float
+          # Avoid division by zero
+          return original_exp
+        else
+          value = lhs.value.send(op, rhs.value)
+          Sexp.new(:lit, value).line(lhs.line)
+        end
+      elsif call? lhs and lhs.method == :+ and number? lhs.first_arg and number? rhs
+        # (x + 1) + 2 -> (x + 3)
+        lhs.first_arg = Sexp.new(:lit, lhs.first_arg.value + rhs.value).line(lhs.first_arg.line)
+        lhs
+      elsif safe_literal? lhs or safe_literal? rhs
+        safe_literal(lhs.line)
+      else
+        original_exp
+      end
+    end
+
+    # Process single integer access to an array.
+    #
+    # Returns the value inside the array, if possible.
+    def process_array_access array, args, original_exp = nil
+      if args.length == 1 and integer? args.first
+        index = args.first.value
+
+        #Have to do this because first element is :array and we have to skip it
+        array[1..-1][index] or original_exp
+      else
+        original_exp
+      end
+    end
+
+    # Process hash access by returning the value associated
+    # with the given argument.
+    def process_hash_access hash, index, original_exp = nil
+      if value = hash_access(hash, index)
+        value # deep_clone?
+      elsif all_literals? hash, :hash
+        safe_literal(hash.line)
+      else
+        original_exp
+      end
+    end
+  end
+end

data/lib/brakeman/processors/library_processor.rb

@@ -64,7 +64,7 @@ class Brakeman::LibraryProcessor < Brakeman::BaseProcessor
     res = process_default exp
 
     if node_type? res, :iter and call? exp.block_call # sometimes this changes after processing
-      if exp.block_call.method == :included
+      if exp.block_call.method == :included and (@current_module or @current_class)
         (@current_module || @current_class).options[:included] = res.block
       end
     end

data/lib/brakeman/util.rb

@@ -26,6 +26,8 @@ module Brakeman::Util
 
   ALL_COOKIES = Set[COOKIES, REQUEST_COOKIES]
 
+  SAFE_LITERAL = s(:lit, :BRAKEMAN_SAFE_LITERAL)
+
   #Convert a string from "something_like_this" to "SomethingLikeThis"
   #
   #Taken from ActiveSupport.
@@ -307,6 +309,22 @@ module Brakeman::Util
     call
   end
 
+  def safe_literal line = nil
+    s(:lit, :BRAKEMAN_SAFE_LITERAL).line(line || 0)
+  end
+
+  def safe_literal? exp
+    exp == SAFE_LITERAL
+  end
+
+  def safe_literal_target? exp
+    if call? exp
+      safe_literal_target? exp.target
+    else
+      safe_literal? exp
+    end
+  end
+
   def rails_version
     @tracker.config.rails_version
   end

data/lib/brakeman/version.rb

@@ -1,3 +1,3 @@
 module Brakeman
-  Version = "4.3.0"
+  Version = "4.3.1"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: brakeman
 version: !ruby/object:Gem::Version
-  version: 4.3.0
+  version: 4.3.1
 platform: ruby
 authors:
 - Justin Collins
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain:
 - brakeman-public_cert.pem
-date: 2018-05-11 00:00:00.000000000 Z
+date: 2018-06-07 00:00:00.000000000 Z
 dependencies: []
 description: Brakeman detects security vulnerabilities in Ruby on Rails applications
   via static analysis.
@@ -1220,18 +1220,18 @@ files:
 - bundle/ruby/2.5.0/gems/tilt-2.0.8/test/tilt_wikiclothtemplate_test.rb
 - bundle/ruby/2.5.0/gems/tilt-2.0.8/test/tilt_yajltemplate_test.rb
 - bundle/ruby/2.5.0/gems/tilt-2.0.8/tilt.gemspec
-- bundle/ruby/2.5.0/gems/unicode-display_width-1.3.2/CHANGELOG.md
-- bundle/ruby/2.5.0/gems/unicode-display_width-1.3.2/MIT-LICENSE.txt
-- bundle/ruby/2.5.0/gems/unicode-display_width-1.3.2/README.md
-- bundle/ruby/2.5.0/gems/unicode-display_width-1.3.2/Rakefile
-- bundle/ruby/2.5.0/gems/unicode-display_width-1.3.2/data/display_width.marshal.gz
-- bundle/ruby/2.5.0/gems/unicode-display_width-1.3.2/lib/unicode/display_width.rb
-- bundle/ruby/2.5.0/gems/unicode-display_width-1.3.2/lib/unicode/display_width/constants.rb
-- bundle/ruby/2.5.0/gems/unicode-display_width-1.3.2/lib/unicode/display_width/index.rb
-- bundle/ruby/2.5.0/gems/unicode-display_width-1.3.2/lib/unicode/display_width/no_string_ext.rb
-- bundle/ruby/2.5.0/gems/unicode-display_width-1.3.2/lib/unicode/display_width/string_ext.rb
-- bundle/ruby/2.5.0/gems/unicode-display_width-1.3.2/spec/display_width_spec.rb
-- bundle/ruby/2.5.0/gems/unicode-display_width-1.3.2/unicode-display_width.gemspec
+- bundle/ruby/2.5.0/gems/unicode-display_width-1.4.0/CHANGELOG.md
+- bundle/ruby/2.5.0/gems/unicode-display_width-1.4.0/MIT-LICENSE.txt
+- bundle/ruby/2.5.0/gems/unicode-display_width-1.4.0/README.md
+- bundle/ruby/2.5.0/gems/unicode-display_width-1.4.0/Rakefile
+- bundle/ruby/2.5.0/gems/unicode-display_width-1.4.0/data/display_width.marshal.gz
+- bundle/ruby/2.5.0/gems/unicode-display_width-1.4.0/lib/unicode/display_width.rb
+- bundle/ruby/2.5.0/gems/unicode-display_width-1.4.0/lib/unicode/display_width/constants.rb
+- bundle/ruby/2.5.0/gems/unicode-display_width-1.4.0/lib/unicode/display_width/index.rb
+- bundle/ruby/2.5.0/gems/unicode-display_width-1.4.0/lib/unicode/display_width/no_string_ext.rb
+- bundle/ruby/2.5.0/gems/unicode-display_width-1.4.0/lib/unicode/display_width/string_ext.rb
+- bundle/ruby/2.5.0/gems/unicode-display_width-1.4.0/spec/display_width_spec.rb
+- bundle/ruby/2.5.0/gems/unicode-display_width-1.4.0/unicode-display_width.gemspec
 - lib/brakeman.rb
 - lib/brakeman/app_tree.rb
 - lib/brakeman/call_index.rb
@@ -1327,6 +1327,7 @@ files:
 - lib/brakeman/processors/gem_processor.rb
 - lib/brakeman/processors/haml_template_processor.rb
 - lib/brakeman/processors/lib/basic_processor.rb
+- lib/brakeman/processors/lib/call_conversion_helper.rb
 - lib/brakeman/processors/lib/find_all_calls.rb
 - lib/brakeman/processors/lib/find_call.rb
 - lib/brakeman/processors/lib/find_return_value.rb

data/bundle/ruby/2.5.0/gems/unicode-display_width-1.3.2/lib/unicode/display_width/index.rb

@@ -1,8 +0,0 @@
-require 'rubygems/util'
-require_relative 'constants'
-
-module Unicode
-  module DisplayWidth
-    INDEX = Marshal.load(Gem::Util.gunzip(File.binread(INDEX_FILENAME)))
-  end
-end