Is this console output something I should be worried about?

[asoftbird]

Asking in a discussion as I'm not sure if this is an issue or something that can be disregarded.

I'm running trilium on a remote server accessed through https, and I just found this in my logs:

Error: Router not found for request /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession
    at /usr/src/app/src/app.js:94:17
    at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/usr/src/app/node_modules/express/lib/router/index.js:328:13)
    at /usr/src/app/node_modules/express/lib/router/index.js:286:9
    at Function.process_params (/usr/src/app/node_modules/express/lib/router/index.js:346:12)
    at next (/usr/src/app/node_modules/express/lib/router/index.js:280:10)
    at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:91:12)
    at trim_prefix (/usr/src/app/node_modules/express/lib/router/index.js:328:13)
    at /usr/src/app/node_modules/express/lib/router/index.js:286:9
    at Function.process_params (/usr/src/app/node_modules/express/lib/router/index.js:346:12) {
  status: 404
}

I don't know much about how trilium operates, but even with my "fairly new to sysadminning" eyes, /remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession definitely looks like a malicious attempt to get past security.
Is seeing this in my trilium logs (and not my firewall logs) bad?

[sigaloid]

Hi, it's definitely an attack on what they wish was Fortigate - looks like CVE-2018-13379. You probably aren't running a 5 year old install of Fortigate, so you're safe.

The reason that your firewall didn't catch it is because it isn't the type of attack it protects against - single hit HTTP "attacks" aren't very easy to protect against, more like UDP flood, slow loris attack, checking for open ports, etc. Your bog-standard firewall protects against these by monitoring connections via TCP/UDP, port, timeouts, etc. A single, regular HTTP call, even if it is trying to exploit a CVE, isn't easily differentiated from a single, regular HTTP call that is legitimate. (There are more advanced firewalls that can do this, but ultimately if you keep your system updated, block open ports, etc, you're just as protected)

What you can do to keep this out of your logs is a couple of things. You can set up iptables with a list of malicious IP's - you can't retrieve the IP of the request you pasted, because Trilium doesn't log IP's - but perhaps it's one that is included on a list of bad IP's, like this one. Another thing you could do is protect the Trilium install with HTTP basic authentication, depending on the reverse proxy you use - and whether or not you use the desktop app/browser extension at all.