Trying to get property 'cookieGroups' of non-object

[sm9]

Hi there,

We're using this Craft Cookie Consent plugin on a multi-site install, and have noticed that we're seeing the following errors every few seconds in our server logs:

Trying to get property 'cookieGroups' of non-object in /home/forge/www.ourwebsite.com/vendor/elleracompany/craft-cookie-consent/src/controllers/ConsentController.php:30

We're using v1.6.1 of the Cookie Consent plugin, and Craft CMS v3.7.52. The site is hosted on Larvel Forge and uses PHP 7.4.

Do you have any ideas what the issue might be, or what we need to check to help debug this?

Thanks for your help.

Regards,

Stephen

[jellingsen]

Hi Stephen!

Does the consent work for the majority of users? Do you have any site without any cookie groups at all?

[sm9]

Hi jellingsen, thanks for getting back to me.

The consent appears to be working okay other than the above message in our web.log file.

I checked each site in the multi-site setup and there are no sites without any cookie groups at all. Every site has the 4 cookie groups.

One thing I did notice though, is that every site had the Functional cookie group as 'Required', but there's no cookies in this group for any site, as we only use the Necessary, Analytical and Advertisement groups. The Functional group doesn't display on the front-end though.

In the first instance, I have just disabled the 'Required' toggle on every site for this Functional group, in case this was the cause of the issue (Screenshot), but this hasn't helped and we're still seeing this error in our web.log file. Do you have any ideas?

Thanks,

Stephen

[jellingsen]

I've quickly checked some logs on our own servers and can't find similar log entries..

I'm thinking it might be a cronjob or some console command generating them, as the $site seems to be null. Do you have a cronjob that runs often enought to be the source, or do you have items in the queue that are processed regularly?

I'm not sure why a console command or job would initiate the actionUpdate-method..

I quick fix would be to check if $site is an object, but I would like to understand whats triggering the function in the first place..

[jellingsen]

It could also be that the post body does not contain - or contains an invalid - site_id.

[sm9]

We've looked into this further and we think we may have found the cause of the issue.

We were using the plugin's craft.cookieConsent.getConsent method with an SEOmatic tracking script, but in one scenario, we'd added the wrong handle to a specific site. Does this sound like it might have been the cause of this error? Or does this sound like it might be a red herring?

We've not had this error appear in the logs since we fixed this 4 hours ago, so we think they may have been the issue.

[jellingsen]

That sounds very plausible!

And when the logs seems fine as well im gonna close this one, but feel free to reopen should the error reappear.

[sm9]

Thanks for your help and quick responses for this, jellingsen, it's appreciated. I'll post back if any of the errors reappear.

[sm9]

Hi jellingsen, sorry, but we spoke to soon and have just noticed this issue in our web.log files again. Doing a deeper dive into the error logs, we can see that whenever the Trying to get property 'cookieGroups' of non-object error is thrown, the post value that comes with it has a corrupted site_id value:

2023-08-09 04:41:56 [-][-][ogb0h80a5tmfvnbktsbbd64c56][error][yii\base\ErrorException:8] yii\base\ErrorException: Trying to get property 'cookieGroups' of non-object in /home/forge/www.oursite.com/vendor/elleracompany/craft-cookie-consent/src/controllers/ConsentController.php:30
Stack trace:
....

$_POST = [
    'CRAFT_CSRF_TOKEN' => '••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••'
    'action' => 'cookie-consent/consent/update'
    'cc-advertisement' => 'on'
    'cc-necessary' => 'on'
    'site_id' => '-1 OR 3+423-423-1=0+0+0+1'
    'uid' => '4aa6a4be-1ba2-456b-82db-0896951dcf0a'
]

This is a seemingly random value every time that looks like a broken MySQL query? Other values include:

'site_id' => '-5 OR 177=(SELECT 177 FROM PG_SLEEP(15))--'
'site_id' => '(select(0)from(select(sleep(15)))v)/*\'+(select(0)from(select(sleep(15)))v)+\'\"+(select(0)from(select(sleep(15)))v)+\"*/'
'site_id' => 'y37hqAIa\') OR 488=(SELECT 488 FROM PG_SLEEP(15))--'
'site_id' => '-1; waitfor delay \'0:0:15\' -- '
'site_id' => '-1)) OR 128=(SELECT 128 FROM PG_SLEEP(15))--'

We are rendering the cookie consent form with a custom template, using the following code:

<form action="" data-url="{{ actionUrl() }}" {{ craft.cookieConsent.getRefreshDataAttr }} data-show="{{ siteUrl() }}/cookie-consent/show" method="post" accept-charset="UTF-8">
  <input type="hidden" name="action" value="cookie-consent/consent/update">
  <input type="hidden" name="site_id" value="{{ currentSite.id }}">

  {% if craft.cookieConsent.consentGiven == 1 %}
    <input type="hidden" name="uid" value="{{ craft.cookieConsent.getUid }}">
  {% endif %}

  {{ csrfInput() }}

  .....
</form>

Please let us know if you need any more information or if there's anything you'd like us to try doing or checking.

Thanks,

Stephen

[jellingsen]

This looks very fishy.

This looks like SQL-injection attempts. I would check what other requests the same IP(s) have done, and block them.

Its probably just automated bots, but you should probably investigate.

This is far beyond the scope of this plugin, and as long as there is no vulnerability related to the plugin there is not much for me to do..