passwords#create (NoMethodError) "undefined method `add' for nil:NilClass

[abrantesasf]

Your environment

• Universidade Vila Velha (UVV) Autolab at https://autolab.computacaoraiz.com.br/
• Rocky Linux 9.4
• Autolab v2.12.0

Steps To Reproduce Do not know. I'm not sure if this is a bug, a misconfiguration of my part or some other kind of problem.

Current behavior Today, from 01:36h to 02:18h, I got 722 emails messages from Autolab. The subject of messages is "passwords#create (NoMethodError) "undefined method `add' for nil:NilClass". Every message looks like the following:

A NoMethodError occurred in passwords#create:

undefined method add' for nil:NilClass app/models/course_logger.rb:26:inlog'

---

Request:

• URL : https://autolab.computacaoraiz.com.br/auth/users/password
• HTTP Method: POST
• IP address : 147.78.47.62
• Parameters : {"utf8"=>"✓", "authenticity_token"=>"xGp9Y63QTJc OkzEU1vIiCXwOxBCCW/EbuecHFsGPCOoOLEddeGShg9bru7g6zMVxgoDKemixmJj0o77kgtcgg==", "user"=>{"email"=>"1%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#"}, "controller"=>"devise/passwords", "action"=>"create"}
• Timestamp : 2024-08-18 01:18:49 -0400
• Server : fc4c8984e40b
  • Rails root : /home/app/webapp
• Process: 190

---

Session:

• session id: [FILTERED]
• data: {}

---

Environment:

• CONTENT_LENGTH : 236
  • CONTENT_TYPE : application/x-www-form-urlencoded; charset=utf-8
  • HTTPS : on
  • HTTP_ACCEPT : text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
  • HTTP_ACCEPT_CHARSET : ISO-8859-15,utf-8;q=0.7,*;q=0.7
  • HTTP_ACCEPT_ENCODING : gzip,deflate
  • HTTP_ACCEPT_LANGUAGE : en-us,en;q=0.5
  • HTTP_CACHE_CONTROL : no-cache,no-store
  • HTTP_HOST : autolab.computacaoraiz.com.br
  • HTTP_PRAGMA : no-cache
  • HTTP_USER_AGENT : Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.0 (KHTML,like Gecko) Chrome/3.0.195.27
  • HTTP_VERSION : HTTP/1.1
  • ORIGINAL_FULLPATH : /auth/users/password
  • ORIGINAL_SCRIPT_NAME :
  • PASSENGER_CONNECT_PASSWORD : [FILTERED]
  • PATH_INFO : /auth/users/password
  • QUERY_STRING :
  • REMOTE_ADDR : 147.78.47.62
  • REMOTE_PORT : 46266
  • REQUEST_METHOD : POST
  • REQUEST_URI : /auth/users/password
  • ROUTES_7040_SCRIPT_NAME :
  • SCRIPT_NAME :
  • SERVER_NAME : autolab.computacaoraiz.com.br
  • SERVER_PORT : 443
  • SERVER_PROTOCOL : HTTP/1.1
  • SERVER_SOFTWARE : nginx/1.18.0 Phusion_Passenger/6.0.19
  • action_controller.instance : #
  • action_dispatch.authenticated_encrypted_cookie_salt : [FILTERED]
  • action_dispatch.backtrace_cleaner : #
  • action_dispatch.content_security_policy :
  • action_dispatch.content_security_policy_nonce_directives:
  • action_dispatch.content_security_policy_nonce_generator :
  • action_dispatch.content_security_policy_report_only : false
  • action_dispatch.cookies : [FILTERED]
  • action_dispatch.cookies_digest : [FILTERED]
  • action_dispatch.cookies_rotations : [FILTERED]
  • action_dispatch.cookies_same_site_protection : [FILTERED]
  • action_dispatch.cookies_serializer : [FILTERED]
  • action_dispatch.encrypted_cookie_cipher : [FILTERED]
  • action_dispatch.encrypted_cookie_salt : [FILTERED]
  • action_dispatch.encrypted_signed_cookie_salt : [FILTERED]
  • action_dispatch.http_auth_salt : [FILTERED]
  • action_dispatch.key_generator : #
  • action_dispatch.logger : #
  • action_dispatch.parameter_filter : [:password, :password, :session, :warden, :secret, :salt, :cookie, :csrf, :restful_key, :lockbox_master_key, :lti_tool_private_key, /^((?-mix:client_secret|authentication_token|access_token|refresh_token|code))$/]
  • action_dispatch.permissions_policy :
  • action_dispatch.redirect_filter : []
  • action_dispatch.remote_ip : 147.78.47.62
  • action_dispatch.request.content_type : application/x-www-form-urlencoded
  • action_dispatch.request.formats : [#<Mime::Type:0x00007fcfba2accb8 @synonyms=["application/xhtml+xml"], @symbol=:html, @string="text/html", @hash=-1258011207859859265>]
  • action_dispatch.request.parameters : {"utf8"=>"✓", "authenticity_token"=>"xGp9Y63QTJc OkzEU1vIiCXwOxBCCW/EbuecHFsGPCOoOLEddeGShg9bru7g6zMVxgoDKemixmJj0o77kgtcgg==", "user"=>{"email"=>"1%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#"}, "controller"=>"devise/passwords", "action"=>"create"}
  • action_dispatch.request.path_parameters : {:controller=>"devise/passwords", :action=>"create"}
  • action_dispatch.request.query_parameters : {}
  • action_dispatch.request.request_parameters : {"utf8"=>"✓", "authenticity_token"=>"xGp9Y63QTJc OkzEU1vIiCXwOxBCCW/EbuecHFsGPCOoOLEddeGShg9bru7g6zMVxgoDKemixmJj0o77kgtcgg==", "user"=>{"email"=>"1%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#"}}
  • action_dispatch.request.unsigned_session_cookie : [FILTERED]
  • action_dispatch.request_id : 08517824-8a79-44d8-84c7-393175b798a7
  • action_dispatch.routes : #
  • action_dispatch.secret_key_base : [FILTERED]
  • action_dispatch.show_detailed_exceptions : false
  • action_dispatch.show_exceptions : true
  • action_dispatch.signed_cookie_digest : [FILTERED]
  • action_dispatch.signed_cookie_salt : [FILTERED]
  • action_dispatch.use_authenticated_cookie_encryption : [FILTERED]
  • action_dispatch.use_cookies_with_metadata : [FILTERED]
  • devise.mapping : #
  • newrelic.transaction_started : true
  • rack.attack.called : true
  • rack.attack.match_type : safelist
  • rack.attack.matched : allow from localhost
  • rack.errors : #
  • rack.hijack : #<Proc:0x00007fcfb447fbe0 /usr/lib/ruby/vendor_ruby/phusion_passenger/rack/thread_handler_extension.rb:94 (lambda)>
  • rack.hijack? : true
  • rack.input : #
  • rack.multiprocess : true
  • rack.multithread : false
  • rack.request.cookie_hash : [FILTERED]
  • rack.request.form_hash : {"utf8"=>"✓", "authenticity_token"=>"xGp9Y63QTJc OkzEU1vIiCXwOxBCCW/EbuecHFsGPCOoOLEddeGShg9bru7g6zMVxgoDKemixmJj0o77kgtcgg==", "user"=>{"email"=>"1%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#"}}
  • rack.request.form_input : #
  • rack.request.form_vars : [FILTERED]
  • rack.request.query_hash : {}
  • rack.request.query_string :
  • rack.run_once : false
  • rack.session : [FILTERED]
  • rack.session.options : [FILTERED]
  • rack.tempfiles : []
  • rack.url_scheme : https
  • rack.version : [1, 3]
  • warden : [FILTERED]

---

Backtrace:

app/models/course_logger.rb:26:in log' app/controllers/application_controller.rb:32:inblock in '

Expected behavior Not sure, because I do not know what this alert messages are all about.

Screenshots None

[cg2v]

"user"=>{"email"=>"1%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#"}

This suggests that someone is attacking your installation, trying to identify an SQL injection vulnerability. I believe it's unlikely that one actually exists here.

The error is triggered because autolab is trying to log a message before the COURSE_LOGGER object has been properly configured. It may or may not work for the order of the set_course and authenticate_user! before actions in application_controller.rb to be swapped

[abrantesasf]

Thanks for the clarification! I'll ask the infrastrucutre team on my University to check IPs causing this messages to take actions. Thanks again.

"user"=>{"email"=>"1%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#"}

This suggests that someone is attacking your installation, trying to identify an SQL injection vulnerability. I believe it's unlikely that one actually exists here.

The error is triggered because autolab is trying to log a message before the COURSE_LOGGER object has been properly configured. It may or may not work for the order of the set_course and authenticate_user! before actions in application_controller.rb to be swapped