Avoid typecasting unexpected strings to symbols to prevent DoS due to memory leak

[HonoreDB]

This gem will typecast any string to a symbol when assigned to an enum column, even if the string does not fit the enum. This exposes a potential DoS vulnerability with common usage. Consider a model Enumeration with an enum column "color". Suppose a user fakes a form submit with the parameter color=invalid_color. The controller methods below will catch this in validation and prevent the model from being saved, but the symbol :invalid_color will still be created. Since symbols are never garbage-collected, a bunch of requests with random color params will eventually crash the server.

class EnumerationController < ApplicationController
  def new
    e = Enumeration.new(params) #symbol is created here
    e.save #validations fail here if turned on
  end
  def update
    Enumeration.find(params[:id]).update_attributes(params)
  end
end

This patch changes functionality slightly so that if an enum attribute is set to an invalid string, it'll just typecast it to nil instead of converting it to a symbol. You can bypass this by assigning the symbol directly.

Enumeration.color = 'invalid' # Enumeration.color == nil
Enumeration.color = :invalid #  Enumeration.color == :invalid

What do you think?

[perplexes]

👍, saw this with bundle-audit.

[HonoreDB]

There's a patched version at https://rubygems.org/gems/enum_column_strict for until this is merged.

[jonkessler]

@electronick is this ever going to get merged? I see that there's a merge conflict now, but it would be great to get a new version of enum_column3 with this fix. It's been over a year now.

[HonoreDB]

@electronick If you're going to be around and willing to merge this, I'll fix the merge conflict. If you don't want to change the functionality I'll just merge more stuff into my fork.

[HonoreDB]

Closing this ancient PR as Ruby's now better at handling dynamic symbols.