Project

General

Profile

Actions

Feature #5072

closed

Avoid inadvertent symbol creation in reflection methods

Added by jeremyevans0 (Jeremy Evans) over 13 years ago. Updated over 13 years ago.

Status:
Closed
Target version:
-
[ruby-core:38367]

Description

I recently discovered a denial of service vulnerability in ActiveRecord's mass assignment methods related to the insecure use of ruby's reflection methods (e.g. respond_to?). Because these methods take strings and automatically create symbols from them, they are not safe to call with a string coming from the user. Because they create the symbol internally, they look safe, but if you pass user-created strings to these methods, you open yourself up to denial of service through memory exhaustion (see http://sequel.heroku.com/2011/07/16/dangerous-reflection/).

This could be fixed using a fairly simple observation, which is that if you do:

respond_to?("foo")

and "foo" is not already in the symbol table, no method named "foo" can exist. So this code provides a patch that changes the reflection methods to return false immediately if given a string which doesn't already exist in the symbol table. There should be no performance impact from this, since the symbol table lookup has to be done anyway.

I'm also adding an earlier patch I wrote that adds String#interned?, for checking if a string is already interned. There was an internal method for this added in r10932, but it must have been removed while the prototype was left in intern.h. String#interned? allows a user to check if a string is already in the symbol table, and can be used by user code to ensure that symbols are not created inadvertently.


Files


Related issues 3 (0 open3 closed)

Related to Ruby master - Feature #5112: Remove inadvertent symbol creation from send, __send__, and public_sendClosed07/28/2011Actions
Follows Ruby master - Feature #5079: More removal of inadvertent symbol creationClosedjeremyevans0 (Jeremy Evans)07/23/2011Actions
Follows Ruby master - Feature #5089: Even More Inadvertent Symbol Removal, And Fix Issue With Previous CodeClosed07/24/2011Actions
Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0