Malicious request (via invalid URI) causes exception to be thrown in Elixir Phoenix/Plug

Question

I just got an alert from Sentry from my app running in production that seems to result from a malicous request.

I’ve managed to recreate the error in my local env:

(Plug.Router.MalformedURIError) malformed URI "/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh"
    (elixir 1.12.1) lib/uri.ex:419: URI.decode/1
    (elixir 1.12.1) lib/enum.ex:1553: Enum."-map/2-lists^map/1-0-"/2
    (elixir 1.12.1) lib/enum.ex:1553: Enum."-map/2-lists^map/1-0-"/2
    (plug 1.12.1) lib/plug/router/utils.ex:18: Plug.Router.Utils.decode_path_info!/1
    (matchhaus 0.0.1) lib/plug/router.ex:268: MyApp.Cors.match/2
    ...continues

As can be seen, the URL path in the request is /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh. This looks likes an attempt to double-encode a URI string for traversing up the directory structure (%%32%65%%32%65 -> %2e%2e -> ..). However this seems to be failing at the URI.decode stage, which makes sense as something like %%32 is invalid.

My question is I'd rather my server didn't throw an error from something like this. Ideally it'd just handle this and respond with a 404 or 400 (or other 4xx status), given this is an invalid request.

Is this something that Plug would be expected to deal with? Or is this something I should deal with in my Phoenix app?

Answer 1

As you can see in the exception definition it will send HTTP 400 response (the :plug_status field defines that). The only thing that can be "problematic" there is the log message. The question is whether it is really an issue for you. If it is, then you can capture all /cgi-bin/ paths and just ignore such requests before it even reach the router.