Lately I've been receiving several alerts like this one:
Uncaught PHP Exception InvalidArgumentException: "Unable to parse URI: https://en);waitfor delay '0:0:5'--.wikisource.org/w/index.php?title=MediaWiki:WS_Export.json&action=raw&ctype=application/json" at /var/www/tool/vendor/guzzlehttp/psr7/src/Uri.php line 72
{ "class": "InvalidArgumentException", "message": "Unable to parse URI: https://en);waitfor delay '0:0:5'--.wikisource.org/w/index.php?title=MediaWiki:WS_Export.json&action=raw&ctype=application/json", "code": 0, "file": "/var/www/tool/vendor/guzzlehttp/psr7/src/Uri.php:72", "trace": [ "/var/www/tool/vendor/guzzlehttp/psr7/src/Utils.php:393", "/var/www/tool/vendor/guzzlehttp/psr7/src/functions.php:41", "/var/www/tool/vendor/guzzlehttp/guzzle/src/Client.php:211", "/var/www/tool/vendor/guzzlehttp/guzzle/src/Client.php:154", "/var/www/tool/vendor/guzzlehttp/guzzle/src/Client.php:182", "/var/www/tool/vendor/guzzlehttp/guzzle/src/Client.php:95", "/var/www/tool/src/Util/Api.php:286", "/var/www/tool/src/Util/OnWikiConfig.php:47", "/var/www/tool/vendor/symfony/cache/LockRegistry.php:99", "/var/www/tool/vendor/symfony/cache/Traits/ContractsTrait.php:88", "/var/www/tool/vendor/symfony/cache-contracts/CacheTrait.php:70", "/var/www/tool/vendor/symfony/cache/Traits/ContractsTrait.php:95", "/var/www/tool/vendor/symfony/cache-contracts/CacheTrait.php:33", "/var/www/tool/src/Util/OnWikiConfig.php:61", "/var/www/tool/src/Util/OnWikiConfig.php:72", "/var/www/tool/src/FontProvider.php:45", "/var/www/tool/src/Controller/ExportController.php:189", "/var/www/tool/src/Controller/ExportController.php:139", "/var/www/tool/src/Controller/ExportController.php:103", "/var/www/tool/vendor/symfony/http-kernel/HttpKernel.php:157", "/var/www/tool/vendor/symfony/http-kernel/HttpKernel.php:79", "/var/www/tool/vendor/symfony/http-kernel/Kernel.php:196", "/var/www/tool/public/index.php:35" ] }
Seems like somebody is running the usual pentests on the tool. Nonetheless, I've also seen similar errors for "normal" URLs, since any malformed URL can cause it.
The URL above currently returns a 500 error, with a generic-looking error box and causing an email to be sent. Instead, I think the exception should be caught, a specific error message should be shown, and we should get no alert.