Denial of Service and Unsafe Object Creation Vulnerability in JSON Gem

&#62;`JSON.load` should <i>never</i> be given input from unknown sources. If you are processing JSON from an unknown source, <i>always</i> use `JSON.parse`.<p>This seems like poor method naming; I would not intuitively understand that "load" is far more dangerous than "parse."<p>Why not deprecate these and do names like<p>JSON.load_trusted<p>JSON.load_untrusted

Some details on how this can be exploited:<p><a href="http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-mass-assignment-and-sql-injection" rel="nofollow">http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-ma...</a>

I apologize for the ignorant question, but how does Ruby survive this in normal operation?<p>"Since Ruby symbols are not garbage collected, this can result in a denial of service attack."<p>If you have a long running Ruby app,and it does not garbage collect symbols, then those symbols are... constants I guess?That survive till the app stops operating? So I guess the assumption is that no app should use too many symbols (and they don't use much memory anyway?)

also if you have done require 'json/add/rails' you are in for fun (<a href="https://github.com/ruby/ruby/blob/v1_9_2_381/ext/json/lib/json/add/rails.rb#L10" rel="nofollow">https://github.com/ruby/ruby/blob/v1_9_2_381/ext/json/lib/js...</a>)<p><pre><code> irb(main):001:0&#62; require 'json/add/rails' =&#62; true irb(main):002:0&#62; class Foo irb(main):003:1&#62; end =&#62; nil irb(main):004:0&#62; Foo.json_create({"x" =&#62; "bar"}) =&#62; #&#60;Foo:0x007fc5f3149540&#62; </code></pre> <a href="https://github.com/search?q=require+%27json%2Fadd%2Frails%27&#38;type=Code&#38;ref=searchresults" rel="nofollow">https://github.com/search?q=require+%27json%2Fadd%2Frails%27...</a>

Is it Monday again?