BadRequest and UnknownHttpMethod 40x but also send exception emails

Question

BadRequest and UnknownHttpMethod 40x but also send exception emails

Closed this issue 7 years ago · 3 comments

We get a bunch of exceptions from Rails when it receives HTTP requests with bad methods, e.g.

[Tutor] (qa) # (ActionController::UnknownHttpMethod) "FOO, accepted HTTP methods are OPTIONS, GET, HEAD, POST, PUT, DELE...

These are normally spam requests.

When I try to test this from the command line, I can replicate it with:

curl -i -X JPISCURIOUS [PUT A TUTOR DEV HOME PAGE URL HERE]

This returns:

HTTP/1.1 405 Method Not Allowed
Server: nginx
Date: Thu, 03 Mar 2016 22:33:41 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
Status: 405 Method Not Allowed
X-Request-Id: 627df3fb-7d90-4a58-8f2d-04f3096e5ead
X-Runtime: 0.438664

Tutor uses https://github.com/openstax/rescue_from to help gracefully handle exceptions. It has code that says to 405 for these problems, but that code also disabled notification. However, we're still getting exception emails, which we shouldn't be.

Replicate this response in a spec (probably an integration/feature spec that pulls in as much of the full stack as possible, since there could be some problem here with requests getting handled in weird ways), and then make it so we no longer get exception emails.

Note that configuration of openstax/rescue_from happens in config/initializers/rescue_from.rb.

UPDATE

After writing the above, I realized that we are also getting BadRequest exceptions that follow a similar trajectory to the above, e.g. when you request:

wget https://[TUTOR DEV URL HERE]/certsrv/..%C0%AF../winnt/system32/cmd.exe?/c+dir

You get

--2016-03-03 15:34:03--  https://tutor-dev.openstax.org/certsrv/..%C0%AF../winnt/system32/cmd.exe?/c+dir
Resolving tutor-dev.openstax.org... 54.153.100.208
Connecting to tutor-dev.openstax.org|54.153.100.208|:443... connected.
HTTP request sent, awaiting response... 400 Bad Request
2016-03-03 15:34:04 ERROR 400: Bad Request.

Which seems nice, but an exception email is also generated. There is no default register_exception call for ActionController::BadRequest like there is above, so I have less of an idea of what's going on here.

You might check this SO post as it may have some useful information (back to my suspicion of some other part of the stack doing something funky).

Answer 1 · 2016-03-04T00:04:22.000Z

I made an issue in rescue_from: openstax/rescue_from#22

Answer 2 · 2016-03-04T22:04:29.000Z

UnknownHttpMethod is already in the default exceptions but isn't getting triggered for some reason.

Answer 3 · 2017-06-09T16:47:22.000Z

Seems fixed