Remove dead migration-audit routes that 500 on bot probes#1906
Open
maebeale wants to merge 1 commit into
Open
Conversation
These routes pointed at controllers that never existed, so any request they matched raised ActionDispatch::MissingController (a 500) instead of a 404. A bot probing GET /images/index.php matched `resources :images` and dispatched to the missing ImagesController, generating Honeybadger noise. Only primary_assets and rich_text_assets have real controllers. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
maebeale
commented
Jun 24, 2026
| # A bot probing GET /images/index.php matched `resources :images` and dispatched | ||
| # to the missing ImagesController, raising ActionDispatch::MissingController (a | ||
| # 500) instead of a plain 404. These paths must be unrouted, i.e. raise a | ||
| # routing error rather than a missing-controller error. |
Collaborator
Author
There was a problem hiding this comment.
🤖 From Claude: Deliberately a request spec, not a routing spec — recognize_path masks the missing controller as a RoutingError, so a routing spec would pass even with the broken routes still present. Only full dispatch reproduces the 500, so this hits the real path and asserts a 404.
jmilljr24
approved these changes
Jun 24, 2026
jmilljr24
left a comment
jmilljr24
left a comment
Collaborator
There was a problem hiding this comment.
Thanks!
If the routes no longer exist, I'm not sure we need any tests?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 PR, suggested 👤 review level: 📖 Read — light-logic: removes routes pointing at non-existent controllers; verified nothing references them
What is the goal of this PR and why is this important?
Leftover "migration audit" routes (
images, theimagesnamespace,attachments,media_files) pointed at controllers that never existed, so any request matching them raisedActionDispatch::MissingController— a 500 instead of a 404. A bot probingGET /images/index.phpmatchedresources :imagesand dispatched to the missingImagesController, generating Honeybadger noise.How did you approach the change?
Removed the dead routes (keeping
primary_assetsandrich_text_assets, the only two backed by real controllers and actually used — no route helpers reference the removed ones). Added a request spec asserting each removed path now 404s; it fails 7/7 on the old routes and passes after the fix.Anything else to add?
This was purely bot/scanner traffic probing for PHP vulnerabilities — no real user or data was affected. A routing spec can't catch this since recognition masks the missing controller as a
RoutingError; only full dispatch reproduces the 500, so the test is a request spec.