Memory / Reference Leak

[aq1018]

Please see this line:

https://github.com/intridea/grape/blob/master/lib/grape/endpoint.rb#L33

It will leak since people will throw random params at your server. And you will keep all those keys as symbols in memory. I can intentionally bring a server down to it's knees by just repeatedly sending random params.

[bmorton]

aren't the only params stored in there the ones that are specifically defined in the route or is there another way to populate that?

[aq1018]

In this line:

https://github.com/intridea/grape/blob/master/lib/grape/endpoint.rb#L31

request is a Rack::Request. I am under the assumption that request.params will parse url query string and form posts into the params hash.

Under this assumption, I can query the server repeatedly with random query strings. The query string then gets parsed by rack and turned into hashes. Then you convert the keys of that hash containing query string into symbols in L33.

This is not safe, because I can query your server with randomly generated key value pairs in query string, and your code will convert all of them into symbols. If doing it long enough, the attacker can exhaust all memory on the server by bloating your app to death.