Camping is a micro-framework that is dangerously lean. By default, it lacks built-in protection against resource exhaustion. Without explicit rate limiting or input constraints, an attacker can spam expensive endpoints—such as complex regex searches or heavy database joins—to saturate the Ruby process, exhaust the thread pool, and trigger a Denial of Service (DoS). To fix this, we must move the defense to the Rack layer.

The Vulnerable Pattern

require 'camping'
Camping.goes :App
module App::Controllers
class Search
def get
# VULNERABLE: No rate limiting and no limit on query results.
# An attacker can send 1000s of requests per second for ‘%a%’.
@posts = Post.find(:all, :conditions => [‘body LIKE ?’, ”%#{input.q}%”])
render :results
end
end
end

The Secure Implementation

The fix addresses the vulnerability at two levels: the Middleware layer and the Application layer. First, we integrate 'rack-attack' to intercept requests before they reach the Camping controllers, throttling IPs that exceed 5 requests every 2 seconds. Second, we implement 'def self.create' to wrap the Camping application in a Rack::Builder, ensuring the middleware is active. Finally, we harden the controller by enforcing hard limits on database result sets and truncating input strings to prevent ReDoS (Regular Expression DoS) and memory bloating.

require 'camping'
require 'rack/attack'
Configure Rack::Attack to throttle aggressive clients
Rack::Attack.throttle(‘limit searches by ip’, limit: 5, period: 2) do |req|
req.ip if req.path == ‘/search’ && req.get?
end
Camping.goes :App
module App
Hooking into the Rack stack to apply middleware
def self.create
Rack::Builder.new do
use Rack::Attack
run App
end
end
end
module App::Controllers
class Search
def get
# SECURE: Enforced result limits and middleware-level throttling
query = input.q.to_s[0..64] # Sanitize input length
@posts = Post.all(:limit => 20, :conditions => [‘body LIKE ?’, ”%#{query}%”])
render :results
end
end
end