A few further notes on this, following some reading... The docs aren't very clear about it, either (http://flori.github.com/json/doc/index.html). There is a JSON.parse! method that they explicitly say is to be used only for trusted input, and it looks like JSON.load has some of the same default options.
To further confuse things, JSON.load has the very useful property that you can pass it a String or an IO (e.g. from Rack::Request#body), whereas JSON.parse only accepts a String.
Better yet would be to remove the trusted functionality entirely and give a good talking-to to whoever wrote it. A generic JSON parser shouldn't have an unsafe parsing method on it period. If you want to implement clever nonsense like this, do it at the next layer up and call it something else.
nice find. there is sql injection in 2.3.x and it effects all adapters and not just postgresql.
i just tried quoted_id and it works against mysql on 3.2.x as well. quoted_id is defined in abstract/quoting.rb and any adapter that forwards quotes to the superclass will use it.
I apologize for the ignorant question, but how does Ruby survive this in normal operation?
"Since Ruby symbols are not garbage collected, this can result in a denial of service attack."
If you have a long running Ruby app,and it does not garbage collect symbols, then those symbols are... constants I guess?That survive till the app stops operating? So I guess the assumption is that no app should use too many symbols (and they don't use much memory anyway?)
This is not an ignorant question. Any half-experienced Erlang developer can tell you that you use `list_to_existing_atom' rather than `list_to_atom' if you are ever doing dynamic things with atoms. So, if you're trying to accomplish dynamic module lookup and foo_baz.beam is in your code path, default startup will create the `foo_baz' atom, and you know that this atom will exist at runtime.
Symbols in Ruby are atoms (the term "atom" spans languages), and GC/space issues plague any persistent term like an atom, in any language.
And thus I arrive at a key question: Does Ruby have something like `list_to_existing_atom', or some mechanism for telling if a symbol exists already? I see no analog to this, only the `ID2SYM' macro in the extensions API, and similar calls like String#to_sym.
Perhaps there is some way to clean up symbols after they are created. This to me would seem like the ideal route. It's good they've got a stop-gap fix by changing defaults, but it feels to me like they're punting here. Perhaps users who do [ab]use this feature also would not like DOS attacks?
I hope others who know more about Ruby extension development, and symbol management capabilities, can chime in on these questions.
Indeed, when researching just now, I saw examples of people throwing strings at Module#const_defined?, which no doubt get converted to symbols straightaway.
So if you reference the symbol :foo, it will transparently get pinned in memory somewhere. Referencing :foo again will not allocate an additional object - the interpreter will just give you the existing symbol.
This is usually not an issue, because an application typically operates on a small, fixed set of known symbols. But if an attacker can generate arbitrary symbols (e.g. if you call .to_sym on user input), he can exhaust memory.
A long running app will normally reach a steady state in which no new symbols are created anymore. If you for any reason create new symbols (which are basically interned strings) every n seconds or requests, you will eventually run out of memory. However, that is almost never a concern in practice, because you rarely need to do that.
This seems like poor method naming; I would not intuitively understand that "load" is far more dangerous than "parse."
Why not deprecate these and do names like
JSON.load_trusted
JSON.load_untrusted