autolab
passwords#create (NoMethodError) "undefined method `add' for nil:NilClass
Your environment
- Universidade Vila Velha (UVV) Autolab at https://autolab.computacaoraiz.com.br/
- Rocky Linux 9.4
- Autolab v2.12.0
Steps To Reproduce Do not know. I'm not sure if this is a bug, a misconfiguration of my part or some other kind of problem.
Current behavior Today, from 01:36h to 02:18h, I got 722 emails messages from Autolab. The subject of messages is "passwords#create (NoMethodError) "undefined method `add' for nil:NilClass". Every message looks like the following:
A NoMethodError occurred in passwords#create:
undefined method add' for nil:NilClass app/models/course_logger.rb:26:in log'
Request:
- URL : https://autolab.computacaoraiz.com.br/auth/users/password
- HTTP Method: POST
- IP address : 147.78.47.62
- Parameters : {"utf8"=>"✓", "authenticity_token"=>"xGp9Y63QTJc OkzEU1vIiCXwOxBCCW/EbuecHFsGPCOoOLEddeGShg9bru7g6zMVxgoDKemixmJj0o77kgtcgg==", "user"=>{"email"=>"1%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#"}, "controller"=>"devise/passwords", "action"=>"create"}
- Timestamp : 2024-08-18 01:18:49 -0400
- Server : fc4c8984e40b
- Rails root : /home/app/webapp
- Process: 190
Session:
- session id: [FILTERED]
- data: {}
Environment:
- CONTENT_LENGTH : 236
- CONTENT_TYPE : application/x-www-form-urlencoded; charset=utf-8
- HTTPS : on
- HTTP_ACCEPT : text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
- HTTP_ACCEPT_CHARSET : ISO-8859-15,utf-8;q=0.7,*;q=0.7
- HTTP_ACCEPT_ENCODING : gzip,deflate
- HTTP_ACCEPT_LANGUAGE : en-us,en;q=0.5
- HTTP_CACHE_CONTROL : no-cache,no-store
- HTTP_HOST : autolab.computacaoraiz.com.br
- HTTP_PRAGMA : no-cache
- HTTP_USER_AGENT : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.0 (KHTML,like Gecko) Chrome/3.0.195.27
- HTTP_VERSION : HTTP/1.1
- ORIGINAL_FULLPATH : /auth/users/password
- ORIGINAL_SCRIPT_NAME :
- PASSENGER_CONNECT_PASSWORD : [FILTERED]
- PATH_INFO : /auth/users/password
- QUERY_STRING :
- REMOTE_ADDR : 147.78.47.62
- REMOTE_PORT : 46266
- REQUEST_METHOD : POST
- REQUEST_URI : /auth/users/password
- ROUTES_7040_SCRIPT_NAME :
- SCRIPT_NAME :
- SERVER_NAME : autolab.computacaoraiz.com.br
- SERVER_PORT : 443
- SERVER_PROTOCOL : HTTP/1.1
- SERVER_SOFTWARE : nginx/1.18.0 Phusion_Passenger/6.0.19
- action_controller.instance : #Devise::PasswordsController:0x00007fcfaf14f5b0
- action_dispatch.authenticated_encrypted_cookie_salt : [FILTERED]
- action_dispatch.backtrace_cleaner : #Rails::BacktraceCleaner:0x00007fcfb8089cf8
- action_dispatch.content_security_policy :
- action_dispatch.content_security_policy_nonce_directives:
- action_dispatch.content_security_policy_nonce_generator :
- action_dispatch.content_security_policy_report_only : false
- action_dispatch.cookies : [FILTERED]
- action_dispatch.cookies_digest : [FILTERED]
- action_dispatch.cookies_rotations : [FILTERED]
- action_dispatch.cookies_same_site_protection : [FILTERED]
- action_dispatch.cookies_serializer : [FILTERED]
- action_dispatch.encrypted_cookie_cipher : [FILTERED]
- action_dispatch.encrypted_cookie_salt : [FILTERED]
- action_dispatch.encrypted_signed_cookie_salt : [FILTERED]
- action_dispatch.http_auth_salt : [FILTERED]
- action_dispatch.key_generator : #ActiveSupport::CachingKeyGenerator:0x00007fcfb44d8b00
- action_dispatch.logger : #ActiveSupport::Logger:0x00007fcfb7e7ce60
- action_dispatch.parameter_filter : [:password, :password, :session, :warden, :secret, :salt, :cookie, :csrf, :restful_key, :lockbox_master_key, :lti_tool_private_key, /^((?-mix:client_secret|authentication_token|access_token|refresh_token|code))$/]
- action_dispatch.permissions_policy :
- action_dispatch.redirect_filter : []
- action_dispatch.remote_ip : 147.78.47.62
- action_dispatch.request.content_type : application/x-www-form-urlencoded
- action_dispatch.request.formats : [#<Mime::Type:0x00007fcfba2accb8 @synonyms=["application/xhtml+xml"], @symbol=:html, @string="text/html", @hash=-1258011207859859265>]
- action_dispatch.request.parameters : {"utf8"=>"✓", "authenticity_token"=>"xGp9Y63QTJc OkzEU1vIiCXwOxBCCW/EbuecHFsGPCOoOLEddeGShg9bru7g6zMVxgoDKemixmJj0o77kgtcgg==", "user"=>{"email"=>"1%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#"}, "controller"=>"devise/passwords", "action"=>"create"}
- action_dispatch.request.path_parameters : {:controller=>"devise/passwords", :action=>"create"}
- action_dispatch.request.query_parameters : {}
- action_dispatch.request.request_parameters : {"utf8"=>"✓", "authenticity_token"=>"xGp9Y63QTJc OkzEU1vIiCXwOxBCCW/EbuecHFsGPCOoOLEddeGShg9bru7g6zMVxgoDKemixmJj0o77kgtcgg==", "user"=>{"email"=>"1%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#"}}
- action_dispatch.request.unsigned_session_cookie : [FILTERED]
- action_dispatch.request_id : 08517824-8a79-44d8-84c7-393175b798a7
- action_dispatch.routes : #ActionDispatch::Routing::RouteSet:0x00007fcfb80f2aa0
- action_dispatch.secret_key_base : [FILTERED]
- action_dispatch.show_detailed_exceptions : false
- action_dispatch.show_exceptions : true
- action_dispatch.signed_cookie_digest : [FILTERED]
- action_dispatch.signed_cookie_salt : [FILTERED]
- action_dispatch.use_authenticated_cookie_encryption : [FILTERED]
- action_dispatch.use_cookies_with_metadata : [FILTERED]
- devise.mapping : #Devise::Mapping:0x00007fcfb4675be8
- newrelic.transaction_started : true
- rack.attack.called : true
- rack.attack.match_type : safelist
- rack.attack.matched : allow from localhost
- rack.errors : #IO:0x00007fcfbed08f28
- rack.hijack : #<Proc:0x00007fcfb447fbe0 /usr/lib/ruby/vendor_ruby/phusion_passenger/rack/thread_handler_extension.rb:94 (lambda)>
- rack.hijack? : true
- rack.input : #PhusionPassenger::Utils::TeeInput:0x00007fcfaeb97000
- rack.multiprocess : true
- rack.multithread : false
- rack.request.cookie_hash : [FILTERED]
- rack.request.form_hash : {"utf8"=>"✓", "authenticity_token"=>"xGp9Y63QTJc OkzEU1vIiCXwOxBCCW/EbuecHFsGPCOoOLEddeGShg9bru7g6zMVxgoDKemixmJj0o77kgtcgg==", "user"=>{"email"=>"1%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#"}}
- rack.request.form_input : #PhusionPassenger::Utils::TeeInput:0x00007fcfaeb97000
- rack.request.form_vars : [FILTERED]
- rack.request.query_hash : {}
- rack.request.query_string :
- rack.run_once : false
- rack.session : [FILTERED]
- rack.session.options : [FILTERED]
- rack.tempfiles : []
- rack.url_scheme : https
- rack.version : [1, 3]
- warden : [FILTERED]
Backtrace:
app/models/course_logger.rb:26:in log' app/controllers/application_controller.rb:32:in block in class:ApplicationController'
Expected behavior Not sure, because I do not know what this alert messages are all about.
Screenshots None
"user"=>{"email"=>"1%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#"}
This suggests that someone is attacking your installation, trying to identify an SQL injection vulnerability. I believe it's unlikely that one actually exists here.
The error is triggered because autolab is trying to log a message before the COURSE_LOGGER object has been properly configured. It may or may not work for the order of the set_course and authenticate_user! before actions in application_controller.rb to be swapped
Thanks for the clarification! I'll ask the infrastrucutre team on my University to check IPs causing this messages to take actions. Thanks again.
"user"=>{"email"=>"1%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#"}This suggests that someone is attacking your installation, trying to identify an SQL injection vulnerability. I believe it's unlikely that one actually exists here.
The error is triggered because autolab is trying to log a message before the COURSE_LOGGER object has been properly configured. It may or may not work for the order of the
set_courseandauthenticate_user!before actions inapplication_controller.rbto be swapped