Search code examples
ruby-on-railstemplatesexceptionruby-on-rails-4.2server-side-attacks

Weird "Missing template" exception in rails app on production

I have an Exception notifier set up in my rails application. So today I got the second notification, that the index template is missing:

An ActionView::MissingTemplate occurred in products#index:

Missing template products/index, application/index with {:locale=>[:en, :de], :formats=>["text/html;text/plain"], :variants=>[], :handlers=>[:erb, :builder, :raw, :ruby, :coffee, :slim, :arb, :jbuilder]}. Searched in:
* "/home/releases/20160518143810/app/views"


-------------------------------
Request:
-------------------------------

* URL : http://example.com/shop
* HTTP Method: GET
* IP address : xx.xx.xx.xx
* Parameters : {"controller"=>"products", "action"=>"index"}
* Timestamp : 2016-06-07 08:19:13 +0200
* Server : vintage-shop.ch
* Rails root : /home/releases/20160518143810
* Process: 15714

I know for a fact, that the product's index template is there on the server and checked in in VCS and the application has been running for month now. So I really wonder, why this can happen:

$ ls /home/releases/20160518143810/app/views/products/index.html.slim 

# -> /home/releases/20160518143810/app/views/products/index.html.slim

How is this exception possible?

Update: I looked up the IP Address and it is not from the region where I would expect my customers to be from. So I am wondering if this is some sort of attack, but then the question still remains how an exception can be triggered, even though the template is present.

Solution

  • It might be an attack attempt or (more probably I guess) some random noise. The problem seems to be in the format that Rails parsed out from the request headers. Normally, you should see something like: :formats=>[:html, :text, :js, :css, :ics] in the exception message.

    The format is generally determined in rails using the request URI (usually everything after a dot '.' is considered a format specification) or using the Accept header. In your case it is the header I guess (you should be able to see the header in the exception notification). The Accept header should contain comma-separated content types, not semicolon-separated, so I guess this is the actual source of the exception.

    Take a look at this very insightful blog post if you want more details about Rails format resolution.