[TobyTheDog123]

Can we please stop pretending that Ruby/Rails is in any way a good choice for software that needs to be safe?

I do understand that it is what it is and GitLab has to deal with it, but going forward, can we stop pretending a language and framework that prioritizes cleverness and hidden control flow is better than something more boring?

If I sound overly-annoyed it's because I have to work on a production Ruby codebase where I can absolutely see a scenario in which we have similar issues just waiting to be exploited, because someone thought seventeen layers of abstraction made the code super extensible.

[dpkirchner]

Any language or framework that lets the caller specify if a parameter may be a string or an array of strings should probably be avoided, IMO. The cost of this one error likely outweighs the total value realized by use of the feature.