Error thrown from suspected malicious request to Phoenix Router

I just got an alert from Sentry from my app running in production that seems to result from a malicous request.

I’ve managed to recreate the error in my local env:

(Plug.Router.MalformedURIError) malformed URI "/cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh"
    (elixir 1.12.1) lib/uri.ex:419: URI.decode/1
    (elixir 1.12.1) lib/enum.ex:1553: Enum."-map/2-lists^map/1-0-"/2
    (elixir 1.12.1) lib/enum.ex:1553: Enum."-map/2-lists^map/1-0-"/2
    (plug 1.12.1) lib/plug/router/utils.ex:18: Plug.Router.Utils.decode_path_info!/1
    (matchhaus 0.0.1) lib/plug/router.ex:268: MyApp.Cors.match/2
    ...continues

As can be seen, the URL path in the request is /cgi-bin/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/%%32%65%%32%65/bin/sh

This looks like someone trying to perform remote code execution against my server. Although it looks like it failed, it seems strange that it caused a crash.

Is there a way to properly handle this and probably return a 404 or something more appropriate?

The path indeed seems invalid (it’s “double-encoded” /../, there’s probably a vulnerability in some websites that allows remote execution by sending these requests), so 500 seems appropriate to me

iex(1)> URI.decode("%" <> URI.decode("%32%65"))
"."

nginx returns 400 for a request with that path.

You can filter out Plug.Router.MalformedURIError from being sent to sentry using Sentry.EventFilter — sentry v8.0.6

These requests are quite common and are mostly harmless.