Join GitHub today
Make CheckSymbolDoS an optional check #570
but keep check for CVE-2013-1854 on by default.
I did some very simple benchmarking creating symbols (with ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-linux]). After creating 10 million symbols, the memory usage was ~2.3GB. Assuming a single-threaded, single-process Rails app with 100ms response times creating one new symbol per request, that would take ~11.5 days (late at night, math might be wrong). I don't think this is a very effective DoS attack. If you have multiple Rails processes, then one falling over and restarting once every few weeks is not a huge deal.
Additionally, Ruby 2.2 will garbage collect symbols, so eventually this will be a problem of the past.
I'm curious if people think this is a serious enough security issue to warrant these kinds of warnings, or if it is okay to make this an optional check which people can run if they are worried about memory leaks.
Alternatively, the confidence/severity of these warnings could be set to low.
I've heard of this happening once in the wild and it was a bug, not an attack. Turning it off by default would be totally reasonable, but if we want to infer ruby version, there are a number of ways to go. The is