Hi,
We’re getting some weird exceptions that look like hack attempts, and I’m hoping someone can help us understand them. It looks like an intentionally malformed URL is somehow causing unexpected behavior.
Here’s what we’re seeing. These URLS:
https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h.before=b,e=
https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h.
https://gadgetco.hiringthing.com/admin/jobs/k(b.onLoad)&&n(a,‘load’,h.onLoad),null==h||‘none’
Will crash our system, and the trace doesn’t include any files from our application (just framework code), trying to load a “Jobs” object that doesn’t exist.
https://gadgetco.hiringthing.com/admin/jobs/somerandomstring
https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h
will work correctly, hitting our controller and successfully redirect the user somewhere, and
https://gadgetco.hiringthing.com/admin/jobs/1
will also work correctly, using Job.find(params[:id]) to load a job (note object is Job not Jobs).
Something different is going on between:
https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h. (fails)
https://gadgetco.hiringthing.com/admin/jobs/h.delayType)c(h,b),h (works correctly)
and I don’t know what. None of the related routes have any fancy regex or anything unusual. Any insight would be appreciated.
Thanks for your help.
Josh