Comments (2)
aren't the only params stored in there the ones that are specifically defined in the route or is there another way to populate that?
from grape.
In this line:
https://github.com/intridea/grape/blob/master/lib/grape/endpoint.rb#L31
request is a Rack::Request. I am under the assumption that request.params will parse url query string and form posts into the params hash.
Under this assumption, I can query the server repeatedly with random query strings. The query string then gets parsed by rack and turned into hashes. Then you convert the keys of that hash containing query string into symbols in L33.
This is not safe, because I can query your server with randomly generated key value pairs in query string, and your code will convert all of them into symbols. If doing it long enough, the attacker can exhaust all memory on the server by bloating your app to death.
from grape.
Related Issues (20)
- undefined method `exclude?' for [JSON, [JSON]]:Array HOT 3
- How do I respond to stream results via API - Grape HOT 15
- Reopen the issue with Rails app streaming (2367) HOT 1
- `halt` for instantly returning a response, interrupting current handler execution HOT 6
- Values validator fails fast when below root scope, violating documentation HOT 8
- Allow to define the API version where a endpoint is available HOT 3
- Param with multiple acceptable Hash Types HOT 4
- Define contract instead of params HOT 8
- undefined method `rewind' for #<Rack::Lint::Wrapper::InputWrapper w/Rack >= 3.0 HOT 4
- custom type not suppot multiple types, raise `Grape::Exceptions::ValidationErrors` HOT 1
- Route#options and Route#settings are confusing HOT 1
- Ruby 3.3 && cookiejar = ArgumentError HOT 1
- Use Rack's HeadersHash instead of {}
- endpoint method_missing vs override inspect HOT 2
- Values Validator => Proc's arity < 2 ? HOT 3
- Rails Edge requires Ruby >= 3.1
- Fix specs for Rack Edge
- Fix `params` warning method redefined
- Better tracking of gems deprecation
- Rack::Lint::Error => a header value must be a String or Array of Strings, but the value of 'content-type' is a NilClass HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grape.