0
Customer.find(:all, :select => 'id', :order => 'updated_at DESC', :readonly => true, :conditions => { :status_id => Customer.id_for_status(params[:id].to_sym) }, :offset => offset, :limit => 30).collect(&:id)

Above is my query in that I am getting warning like

Symbol conversion from unsafe string (parameter value) near line 33: params[:id].to_sym

This is the warning of Denial of Service. Anybody have any idea how can I fix this warning?

Thanks In Advance

Dipak Panchal
  • 5,996
  • 4
  • 32
  • 68
  • 1
    The method `id_for_status` can be changed to accept a String instead of a symbol ? – Baldrick Jun 05 '14 at 17:43
  • Just an educated guess: Try truncating to some reasonable max length: `params[:id][0...20].to_sym`. My guess is that rails is trying to protect you from using up an enormous amount of symbol intern space (once a symbol is used, the space holding its characters is never released). If that doesn't work, you'll have to validate the parameter before symbol conversion. – Gene Jun 05 '14 at 17:47

1 Answers1

3

The problem here is params[:id].to_sym

When the string which would be converted to symbol is an open set, you should NOT convert them into symbols. Each symbol created will not be garbage collected, and could create potential memory leak which makes your system vulnerable to Dos attacks.

Problem was resolved in Ruby 2.2. but still - rather white list anything that would be converted into symbols.

knagode
  • 5,816
  • 5
  • 49
  • 65