Unable to Save Company Info After Update 5.10.44>5.11.41

laserjet25 · February 22, 2025, 6:15pm

Version ie <v5.10.30>

5.11.41

Environment <Docker/Shared Hosting/Zip/Other>

ZIP

Checklist

Can you replicate the issue on our v5 demo site https://demo.invoiceninja.com or Invoice Ninja? No for either.
Have you searched existing issues? Yes.
Have you inspected the logs in storage/logs/laravel.log for any errors? Yes. File is empty.

Describe the bug

Similar to this issue #10233
Chrome dev console outputs the following after clicking save:

message: 'Request failed with status code 400', name: 'AxiosError', code: 'ERR_BAD_REQUEST', config: {…}, request: XMLHttpRequest, …

response
: 
"<html>\r\n<head><title>400 Bad Request</title></head>\r\n<body>\r\n<center><h1>400 Bad Request</h1></center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n"
responseText
: 
"<html>\r\n<head><title>400 Bad Request</title></head>\r\n<body>\r\n<center><h1>400 Bad Request</h1></center>\r\n</body>\r\n</html>\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n<!-- a padding to disable MSIE and Chrome friendly error page -->\r\n"
responseType
: 
""
responseURL
: 
"https://invoice.company.com/api/v1/companies/dasdasdasda"

Steps To Reproduce

Update from 5.10.44 > 5.11.41
Go to Company page in settings.
Attempt to change any of your personal company info and receive error

Expected Behavior

Able to save company after making changes.

Additional context

Screenshots

Logs

hillel · February 22, 2025, 6:18pm

Hi,

Do any other pages fails to save or just this one?

Are there any errors in storage/logs?

laserjet25 · February 22, 2025, 8:00pm

Well this was apparently caused by the crowdsecurity/modsecurity module in my CS agent. I’m using NPMPlus’s implementation of CorwdSec, so I’m not quite familiar enough yet on how to gather logs from it to make exceptions. Is there an existing list of modsecurity customizations for Invoice Ninja?

Side note, I think the system logs in the web UI are a bit lacking and the only file I see in storage/logs is larvel.log which is empty. Is there somewhere I can find additional logs?

hillel · February 22, 2025, 8:19pm

If the request was being blocked the app wouldn’t log any errors.

Two other places in general to find logs are the web server error logs and the system_logs table.

laserjet25 · February 22, 2025, 8:41pm

I assumed this blocking wouldn’t show in the Invoice Ninja logs and would only be on my proxying NGINX instance. The additional log information was more for some unrelated items that came up during installation originally, which I was able to figure out through trial and error.

Are you aware of any existing exclusions/rules specifically tuned for Invoice Ninja to be used with ModSecurity?

hillel · February 22, 2025, 8:46pm

Sorry, I’m not aware of any