Issue #7795 has been updated by Student (Nathan Zook).


When methods can be dynamically generated, things get hairy.  For instance, active record 1 & 2 defined > n! dynamic finders for each model where n is the number of columns in the model.  These methods are never all generated at once, but they can be.

Suppose one were to pass options to the to_json method that serializes the return data.  In rails, any argumentless method on any object attached through any relationship chain can be valid.  That's a lot to monitor.

Once the hash is parsed, checks can be made to see if we want to allow the method to be called.  But that is only after the symbols have been created.

Thus the desire to check to see if the proposed symbol is new before creating it.
----------------------------------------
Feature #7795: Symbol.defined? and/or to_existing_symbol
https://bugs.ruby-lang.org/issues/7795#change-36022

Author: Student (Nathan Zook)
Status: Open
Priority: Normal
Assignee: 
Category: core
Target version: next minor


I'm pulling this out from deep in the discussions of issue http://bugs.ruby-lang.org/issues/7791, Let Symbols be Garbage Collected.

The problem is that the extreme utility of symbols makes them enticed to use, which results in a DOS vulnerability.  My proposal is to add either of a pair of methods that would make it easy to defend against a DOS along these lines.

#1) Symbol.defined?

In existing code, it would might like this:
class Symbol
  def self.defined?(string)
   all_symbols.any?{|sym| sym.to_s == string}
  end
end 

#2) to_existing_sym.  This would be defined in the same places as to_sym, but would through an argument error if the symbol did not already exist.



-- 
http://bugs.ruby-lang.org/