ruby中的符号
In this article, we’re going to explore the following topics:
在本文中,我们将探讨以下主题:
- symbols are unique 符号是唯一的
- symbols since Ruby 2.2 从Ruby 2.2开始的符号
- exploiting a security breach using symbols 利用符号利用安全漏洞
符号是唯一的 (Symbols are unique)
A symbol is a unique instance of the Symbol
class which is generally used for identifying a specific resource. A resource can be a method, a variable, a hash key, a state, etc..
符号是Symbol
类的唯一实例,通常用于标识特定资源。 资源可以是方法,变量,哈希键,状态等。
A symbol is unique because only one instance of the Symbol
class can be created for a specific symbol in a running program
符号是唯一的,因为在运行的程序中只能为特定符号创建Symbol
类的一个实例。
:pending.object_id # => 1277788
:pending.object_id # => 1277788
Here, we can see that the :pending
symbol is only created once as the two calls to :pending.object_id
return the same object identifier. Symbols are often compared to strings. But the main difference between them relies on the fact that a new String
object is created for each created string — even if they’re identical
在这里,我们可以看到:pending
符号仅创建一次,因为对:pending.object_id
的两次调用返回相同的对象标识符。 通常将符号与字符串进行比较。 但是它们之间的主要区别在于这样的事实,即为每个创建的字符串都创建了一个新的String
对象-即使它们是相同的
'pending'.object_id # => 70324176174080
'pending'.object_id # => 70324176168090
Now that we’re more familiar with symbols, let’s have a look to the changes provided by Ruby 2.2.
现在我们对符号更加熟悉了,让我们看一下Ruby 2.2提供的更改。
自Ruby 2.2起的符号 (Symbol since Ruby 2.2)
Ruby 2.2 introduced the notion of mortal/immortal symbols. Let’s have a look to the differences between these 2 concepts.
Ruby 2.2引入了凡人 / 不朽符号的概念。 让我们看一下这两个概念之间的区别。
不朽的象征 (Immortal symbol)
Immortal symbols are symbols that’ll never be garbage collected. They’re created when your code is dynamically modified. For example:
不朽的符号是永远不会被垃圾收集的符号。 它们是在动态修改您的代码时创建的。 例如:
defining a new method using
define_method
使用
define_method
定义一个新方法setting an instance variable using
set_instance_variable
使用
set_instance_variable
设置实例变量creating a constant or variable using
const_set
使用
const_set
创建常量或变量
凡人符号 (Mortal symbol)
Mortal symbol on the other hand are eligible for garbage collection. They’re created in any other cases. For example:
另一方面, 凡人符号也可以进行垃圾收集。 它们是在其他任何情况下创建的。 例如:
using
to_sym
使用
to_sym
- using symbol literals 使用符号文字
- etc.. 等等..
Ok, now that we are more familiar with these 2 concepts, let’s see how immortal symbols can generate security issues.
好的,现在我们更加熟悉这两个概念,让我们看看不朽 符号如何产生安全问题。
使用不朽符号的安全漏洞 (Security breach using immortal symbols)
It might not be a good idea to create immortal symbols from user inputs. Indeed, this would allow a malicious user to mount a DoS attack against your application by flooding it with unique strings, which will cause memory to grow indefinitely until the Ruby process is killed.
根据用户输入创建不朽符号可能不是一个好主意。 确实,这将允许恶意用户通过用唯一的字符串填充它来对您的应用程序发起DoS攻击,这将导致内存无限期增长,直到Ruby进程被杀死为止。
Indeed, as immortal symbols are not garbage collected, creating a huge amount of them can force your Ruby process to slow down.. or to be killed.
的确,由于不朽 符号不会被垃圾收集,因此创建大量符号会迫使您的Ruby进程减慢速度或被杀死。
结论 (Conclusion)
The notion of mortal symbol has been introduced in Ruby 2.2 to optimize the memory usage of Ruby programs. On the other hand, immortal symbols can generate security problems and you must use them in a completely safe environment. Avoid to use them when dealing with user interaction.
凡人 符号的概念已在Ruby 2.2中引入,以优化Ruby程序的内存使用。 另一方面, 不朽 符号会产生安全性问题,您必须在完全安全的环境中使用它们。 在处理用户交互时,请避免使用它们。
Thank you for taking the time to read this article.
感谢您抽出宝贵的时间阅读本文。
Voilà!
瞧!
翻译自: https://medium.com/rubycademy/mortal-and-immortal-symbols-in-ruby-35ae4d29248a
ruby中的符号