Demo data being erroneously loaded in production

I’m not sure what’s going on here yet, so I figured I’d say something here before opening a real bug report.

We updated our self-hosted installation from 5.3.3 to 5.3.6 (we are using docker, and there don’t appear to be any image tags for the intermediate versions) and now I’m seeing (what I assume to be) demo data appearing alongside our live data.

For example, these invoices which do not correspond to any real clients of ours:

Judging by the dates, I figured this is probably some demo data accidentally loaded by the update migration. Can we safely just remove these clients, or could the migration have corrupted some of our live data?

Thanks for reporting this!

@david any ideas?

Are you using our standard dockerfile?

How many extra records were created?

Have you ever run any console commands from docker?

Are you using our standard dockerfile?

Yes, mostly. I’m using a slightly customized composefile based off of this one and modified a bit to change ports and volume locations for our environment and the cron container removed since updating to v5, but largely the same and references the image invoiceninja/invoiceninja:5.3.6. We do not rebuild the image in any way, so yes it’s using the standard dockerfile in that sense.

There are also not any custom commands being run in any containers.

How many extra records were created?

Unclear, but there appear to be at least 4 records in the Client section: Howe and Sons, Johns, Conroy and Fritsch, Lang-Bernier, and Waters-Mann. They all have contacts and billing/shipping addresses and so on created for them as well.

There is also one invoice created for each of those clients, with a balance of $0.00. The other record types seem to be untouched as far as I can tell. (No extra quotes or expenses, etc)

Have you ever run any console commands from docker?

Nothing that I’m aware of that would have caused this, but if you’d like me to run a command to poke around, I am comfortable doing so. I can sanitize results and post back here to assist in troubleshooting, if that’s helpful. Did you have something in mind?

I can’t think of anyway to get extra data into the system without one of the console commands executed.

Also 4 records doesn’t sound like a usual amout of data that we inject in.

If you have access to the database, can you see which user_id is assigned to these records, and whether they match any of your users?

Sorry for the delay responding, but finally got back around to looking into the database.

can you see which user_id is assigned to these records, and whether they match any of your users?

Yes, the user id is my user id, but I certainly didn’t create these clients.

In fact, I’ve now deleted the 4 demo clients mentioned above (using the UI, so they are is_deleted=1 in the database) and now 2 more demo clients have been mysteriously created, complete with lorem ipsum private notes and example.com contact emails.

It feels like there’s a scheduled task somewhere that got accidentally enabled which is set to fill the database with demo data, but I’m not sure where to look in the container to find such a thing.

It may help to check the activities table for the records that were created. it’ll tell you the time and IP address of the creating user.