Python agent release notes
Release date: December 10, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
Use
new_inventory_components
in the agent. (PYT-3490)Automatically uniquely identify applications. (PYT-3580)
Report application fingerprints in session metadata. (PYT-3601)
Added support for Flask 3.1. (PYT-3604)
Fix Deprecation Notice on PyPI releases of
contrast-agent-lib
. (PYT-3615)Update syslog timestamp. (PYT-3620)
Release date: December 4, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
Implemented the new Application Settings endpoint. (PYT-2744)
Bug fixes:
When instrumenting an app under a relatively high load, the agent occasionally raised a LookupError. (PYT-3619)
In relatively long-running applications, the agent occasionally failed to connect to the Contrast UI with connection reset errors. (PYT-3621)
Release date: November 21, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
The agent now supports
base64.z85
. (PYT-3410)Added remaining data required to send to the ADR Licensing report. (PYT-3560)
The agent propagates through os.scand
ir
andpathlib.Path.iterdir
. (PYT-3568)
Bug fixes:
When switching Protect mode on, the agent would sometimes fail to initialize the state fully. (PYT-3577)
When
lxml.html.fromstring
was called with untrusted data, the agent would report a false positive XXE vulnerability. (PYT-3585)
Release date: November 4, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
Reporting agent data for Assess in Production has stricter sensitive data masking rules to prevent production user data from being sent to Contrast. (PYT-3502,PYT-3504)
The agent now uses a
new_finding
binding. (PYT-3473,PYT-3476)Implemented for the agent to automatically enable sampling if
environment
is set toproduction
. (PYT-3564)
Bug fixes:
When a request met the Assess sampling criteria, the agent would skip the Protect analysis of the request. (PYT-3562)
When the agent failed to initialize an application in Contrast, the agent did not properly shut down and reported errors. (PYT-3567)
Release date: October 23, 2024
Language versions currently supported: Python 3.8 - 3.12
Bug fixes:
When untrusted data is passed to
load_tzdata
, an FP path-traversal is reported. (PYT-3541)When analyzing requests with excessive string propagation, the agent sometimes did not respect configured propagation limits leading to substantially increased CPU usage. (PYT-3566)
Release date: October 21, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
The application name and the server name are stored on
agent_state
andupdate security_log_msg
to read fromagent_state
instead of Settings. (PYT-3370)The agent now reports new applications, new servers, and route coverage data through a new reporting library. (PYT-3471, PYT-3472, PYT-3477, PYT-3478)
The Discovered libraries log message is now updated to include the package versions. (PYT-3534)
Bug fixes:
When a hardcoded
yarl.URL
is evaluated for SSRF a false positive vulnerability is reported. (PYT-3531)When dataflow propagation limits were reached while analyzing a call to exec or evaluation, the agent logger could cause a deadlock. (PYT-3539)
Release date: September 25, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
Improved analysis for the CSP insecure response rule to reduce false positives. (PYT-3432)
Improved the sampling algorithm to reduce the work the agent does when sampling is enabled. (PYT-3428)
Bug fixes:
Fixed a false positive for validated redirects. (SUP-5791)
Fixed an internal dataflow issue when the Python interpreter was coercing types through a formatted string. (PYT-3423)
Release date: August 26, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
Removed Funchook from the agent. (PYT-3153)
Funchook was an internal instrumentation strategy that’s no longer sustainable due to changes in Mac hardware security and the CPython core.
Application inventory now reports to the v1.1 TeamServer endpoint. This change requires Contrast v3.11.4 and later. (PYT-3324
Server Inventory now logs an error on on-premises versions before Contrast v3.11.6, where the server inventory endpoint doesn’t exist. This error only indicates that cloud resources are not reported to Contrast. Otherwise, it doesn’t impact agent functionality. (PYT-3381)
Bug fixes:
The agent now writes some logs to
stderr
on startup instead ofstdout
, to avoid interfering with scripts writing tostdout
. (PYT-3435)A disabled agent no longer blocks reading from the request body in ASGI apps. (PYT-3437)
Release date: August 20, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
Added support for a new
CONTRAST__API__TOKEN
setting in the agent configuration file. (PYT-3395)
Bug fixes:
Fixed an issue where agent buffering prevented ASGI apps from streaming a response body. (PYT-3397)
Fixed an issue where the agent failed to track the body for Assess dataflow when Flask request bodies were accessed with
get_data
orget_json
. (PYT-3384)Fixed an issue where the Contrast web interface showed Node.js-specific How-to-Fix instructions when a Python NoSQL injection vulnerability was reported. (PYT-3375)
Fixed an issue where the agent failed to propagate dataflow and logged an error when a
cformat
string contained escaped %% characters. (PYT-3256)
Release date: July 16, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
The agent now supports reporting to
syslog
. (PYT-3261)The agent now extracts and reports cloud resource IDs for AWS and Azure. (PYT-2713)
You can disable this by changing the
server.discover_cloud_resource
setting in the agent configuration file tofalse
.
Release date: June 3, 2024
Language versions currently supported: Python 3.8 - 3.12
Bug fixes:
When handling an invalid multipart form data boundary, the agent logged an unnecessarily loud exception. (PYT-3118)
When the agent session ID was unset, agent findings were not sent correctly to Contrast. (PYT-3339)
When JIT compiling functions with numba, agent instrumentation would cause a ValueError. (PYT-3342)
Release date: May 30, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
Support for reporting attack events to Syslog through local configuration. Accepting configuration via the UI will follow soon.
Improved performance for slicing, our most common propagation operation.
Significant performance improvements for stack trace generation.
Bump zipp from 3.18.1 to 3.18.2.
contrast-agent
package now has an optional.[debug]
variant. This currently includes experimental tracing tools to debug performance issues.
Bug fixes:
When accessing instrumented functions that are stored on class attributes, the agent throws exceptions. (PYT-3321)
Release date: May 20, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
Updated
agent-lib
to the latest version.Refactored route discovery and route observation to prepare for moving route discovery to a background thread.
Moved direct agent dependencies to a static file.
Sensitive data masking of application activity does not occur if there are no attacks.
When an application is instrumented with Contrast, route observation for expected response codes will be ignored.
Added deprecation warning for Python 3.8 support for EOL in October 2024.
Added framework to Route Discovery.
Bug fixes:
When instrumenting string some subclasses’ initialization, the agent could cause a
RecursionError
. (PYT-3295)When calling
enumfields.from_db_value
, agent instrumentation caused unnecessary latency and CPU usage. (PYT-3321)When the library reader processes distributions, the name is converted to all lowercase characters. (PYT-3326)
Release date: May 7, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
Store dataflow event history as a graph instead of a list.
Removed PERMIT Protect rule mode.
Improved performance of
import_patch
.
Bug fixes:
When handling certain unexpected types, we were unable to convert strings to lowercase when sending data to Contrast. (PYT-3282)
Release date: April 25, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
Startup communication between the Python Agent and Contrast has changed. As a result, EOP users must have EOP 3.11.2+ for Python Agent 8.0.0+. For EOP versions before 3.11.2, pin the agent dependency to 7.x. For example:
pip install -U 'contrast-agent<8'
.Added error handling for possible AgentStartup 500 response.
Disabled
funchook
by default.
Bug fixes:
When Contrast Protect found an attack, a duplicate PROBE event was also sent to Contrast. (PYT-3255)
When handling certain unexpected types, Contrast Assess sometimes failed to propagate dataflow through rewritten operations. (PYT-3248)
When a non-str object was passed to an SQLi sink, Contrast Protect incorrectly threw an internal exception. (PYT-3228)
Release date: April 9, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
Improved error message when
contrast-python-run
is not passed as a command.Optimized rewrites.
Moved library discovery from first request to startup to improve response latency.
Bug fixes:
When the agent received a request with Unicode characters in the path, it would raise exceptions that interrupted reporting. (PYT-3134)
When the agent received a request with invalid utf-8 characters, it would raise exceptions that interrupted reporting. (PYT-3135)
When the agent instrumented Falcon apps that use Cython, some request properties were not tracked as sources. (PYT-3218)
When instrumenting
exec
andeval
calls, different compiler flags were used, resulting in undefined names. (PYT-3250)
Release date: March 20, 2024
Language versions currently supported: Python 3.8 - 3.12
Bug fixes:
When analyzing a StaticFiles endpoint in a FastAPI app, the agent did not correctly record route information. (PYT-2917)
When using Gunicorn with
gevent
oreventlet
, the runner instrumentation would cause a RecursionError. (PYT-3212)
Release date: March 14, 2024
Language versions currently supported: Python 3.8 - 3.12
Bug fixes:
When analyzing a request that led to a 404 response in Flask, Assess incorrectly reported a new Route. (PYT-3209)
Release date: March 8, 2024
Language versions currently supported: Python 3.8 - 3.12
Bug fixes:
When the application provided a relative Location response header, Contrast incorrectly converted the value to an absolute location. (PYT-3208)
Release date: February 22, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
Added support for Django 4.2.x and 5.x.
Use
agent-lib
for SQLi infilter analysis.Added release step for updating
agent-operator-images
.Added support for Flask 3.x.
Opt of out telemetry in pipelines.
Make unit tests pass with integration test environment variables set.
Moved all
dependabot
config to dependabot.yml.Optimized
structlog
utility headers.Use
agent-lib
at cmdi infilter.Use
requests.Session
to reuse HTTP connections from ReportingClient.Verify support for
escapeseq
in Django 5.0.Created all missing parent directories in
agent.logger.path
.
Bug fixes:
When analyzing non-HTML response bodies, Contrast Assess did not handle exceptions gracefully. (PYT-2870)
Fixed bad interaction between policy-based rewrites and patch policy. (PYT-3064)
When configured to use a proxy server, the agent prevented successful network configuration if the URL scheme of the proxy did not match the target server. (PYT-3189)
Release date: January 23, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
Removed support for EOL frameworks Django 1, Django 2, Pyramid less than 1.10, Flask less than 1.0, Falcon less than 2.0.
Removed support for Python 3.7.
Automatically delete
libcontrast
logs afterpytest
run.Utilized
importlib.metadata
in library reader patched state.Added dependabot ignore for OpenAI.
Updated Teamserver URLs.
Bug fixes:
When aging off-tracked strings under heavy request load, the agent sometimes logged a KeyError. (PYT-3057)
When the agent was run with a virtual environment in the CWD, stack traces reported to the ContrastUI were not trimmed correctly. (PYT-3125)
When a Django application retrieved a user using a db-based session, Assess could incorrectly find an unsafe-code-execution vulnerability. (PYT-3165)
Release date: January 9, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
Updated vendored
importlib-metadata
.Updated
structlog
to latest version.Updated
test_fstring.py test_self_documenting_fstring_format
to latest style.Stabilized environment vars for loader.
Dependabot Update flask-sqlalchemy requirement to 3.1.
Added integration tests for
api.certificate
settings.Updated / added support for sqlalchemy 2.0.
Release date: January 2, 2024
Language versions currently supported: Python 3.8 - 3.12
New and improved:
Stopped reporting library manifest on application update.
Removed support for:
Bottle versions earlier than 0.12
FastAPI versions earlier than 0.71.x
Falcon versions earlier than 3.0
Django versions earlier than 3.2
Port relevant code from
importlib.metadata
.Utilize
importlib.metadata
in library reader catch-up analysis.Allowed Assess and Protect concurrency.
Updated
structlog
dependency.Updated Werkzeug to 3.0.
Use
args
andkwargs
attributes on mock call objects instead of indexing.Dependabot updated coverage requirement from ==7.2.* to ==7.3.*.
Updated Black to the latest version.
Bump
typing-extensions
dependency to latest version.Remove code marked with
py37
.
Archive
Release date: November 30, 2023
Language versions currently supported: Python 3.8 - 3.12
New and improved:
End of support for language version 3.7.
Updated
mysql-connector
to the latest version.
Release date: November 29, 2023
Language versions currently supported: Python 3.7 - 3.12
New and improved:
Release of language version 3.12.
Added the reporting of active configuration and source of the settings.
Added support for
agent.logger.stdout
in the common configuration.Enabled
sys.monitoring
INSTRUCTION-level events.We no longer throw an exception when trying to log effective config to disk when agent log path is set to
STDOUT
.
Release date: November 21, 2023
Language versions currently supported: Python 3.7 - 3.11
New and improved:
Updated hardcoded key list to exclude
SCHEMA
.
Bug fixes:
When instrumenting a Django application with manual middleware installation, the agent did not automatically discover routes. (PYT-3085)
Release date: November 17, 2023
Language versions currently supported: Python 3.7 - 3.11
Bug fixes:
When running Assess in a Django application, the agent incorrectly marked the URL scheme as a source of untrusted data. (PYT-3082)
Release date: October 18, 2023
Language versions currently supported: Python 3.7 - 3.11
Bug fixes:
When a normal static resource is accessed in FastAPI, the agent reports PathTraversal. (PYT-3021)
When analyzing requests in Assess mode, the agent caused a memory leak. (PYT-3050)
Release date: October 11, 2023
Language versions currently supported: Python 3.7 - 3.11
New and improved:
Updated logging to use the latest standard for getting thread ID and improved logged message with non-JSON response from Contrast.
Bug fixes:
When using Genshi with the Contrast Runner, the agent caused an exception if
%
appeared in a template. (PYT-3005)When
lxml.etree.fromstring
was called with a known safe parser, Assess incorrectly reported an XXE vulnerability. (PYT-3013)
Release date: September 7, 2023
Language versions currently supported: Python 3.7 - 3.11
New and improved:
Removed the deprecated attack timing feature from Protect.
Swap ApplicationProxies for
function_wrappers
.Updated URL normalization of request data based on specification.
Created detailed help message for Agent Runner.
Added propagation policy for
pathlib
.Configuration logged to disk after startup.
Logging of a failing runtime connection result.
Bug fixes:
Fix
anyio
pinned version for old FastAPI framework test. (PYT-3001)When
CacheControlsRule
exceptions are present the agent still reports Anti-Caching Controls vulnerability. (PYT-2997)Fixed warnings in unit test suite: "Directory not empty": Attempt #2. (PYT-2996)
Release date: August 14, 2023
Language versions currently supported: Python 3.7 - 3.11
New and improved:
Release of Contrast Runner, a new command-line interface for instrumenting Python applications.
Removed the
deprecated_middleware
module and all associated code.Policy-based rewrites are now applied immediately after registering the rewriter in the runner.
String hooks are now applied early enough in environments where
funchook
is not enabled.Bump
ruamel-yaml
dependency to latest version.Added
ssrf
trigger policy forrequests
library.Added a deprecation warning when using specific middleware classes.
Added support for the latest FastAPI (0.96.*).
Added the
agent.python.enable_automatic_middleware configuration
option to disable automatic middleware instrumentation.Enabled error-free installation on M1/arm architecture.
Removed policy-based rewrites (including hidden configuration option) and added propagation policy for
posixpath
.Bump typing-extensions dependency to latest version.
Implemented automatic instrumentation for middleware AIOHTTP, Bottle, Falcon (ASGI), Falcon (WSGI), FastAPI, Flask, Pyramid, Quart.
Removed JSON policy,
contrast.agent.policy.loader
and any associated unused code.Removed trace logging.
Updated propagation policy for
builtins
module.Added propagation policy for
genericpath
module.Added/updated propagation policy for
_codecs
module.Updated
contrast.__init__
to directly usepkg_resources
.Removed Django-specific middleware (ASGI and WSGI), Falcon-specific middleware (ASGI and WSGI), and Pyramid-specific middleware.
Removed Protect response overwrite.
Bug fixes:
When Protect reports an attack coming from HTTP form data, the source is incorrectly listed as query string
has been resolved
. (PYT-2974)Fixed the vulnpy pipeline. (PYT-2955)
Fixed quart auto-instrumentation for
app.run()
. (PYT-2929)Fix to automatically instrument flask apps that are started with the dev server using
app.run()
. (PYT-2918)Fixed AttributeError:
BoundLogger
object has no attributetrace
. (PYT-2790)
Release date: August 4, 2023
Language versions currently supported: Python 3.7 - 3.11
New and improved:
Implemented a
prompt-injection
trigger policy for the OpenAI API.
Release date: July 26, 2023
Language versions currently supported: Python 3.7 - 3.11
New and improved:
Added the
api.certificate.ignore_cert_errors
configuration option for ignoring certification errors.
Release date: July 26, 2023
Language versions currently supported: Python 3.7 - 3.11
New and improved:
Added deprecation warning for Python 3.7 support.
Revisited the use of
setuptools-scm
for versioning.
Release date: June 27, 2023
Language versions currently supported: Python 3.7 - 3.11
Bug fixes:
Agent crashes when non-string is passed to
_evaluate_body_json
. (PYT-2930)
Release date: May 31, 2023
Language versions currently supported: Python 3.7 - 3.11
Bug fixes:
When telemetry is enabled and the connection fails, the agent blocks the main application thread. (PYT-2872)
Release date: May 25, 2023
Language versions currently supported: Python 3.7 - 3.11
New and improved:
Updated instrumentation to avoid errors in certain edge cases.
Release date: May 16, 2023
Language versions currently supported: Python 3.7 - 3.11
New and improved:
Removed trailing slashes from configured Contrast API URL.
Release date: May 15, 2023
Language versions currently supported: Python 3.7 - 3.11
Bug fixes:
When using the rewriter with an instrumented application that uses Pandas, an exception occurs. (PYT-2856)
Release date: May 11, 2023
Language versions currently supported: Python 3.7 - 3.11
Bug fixes:
When the ASGI scope contained a client value of None, the agent raised an exception during source tracking. (PYT-2853)
Release date: May 9, 2023
Language versions currently supported: Python 3.7 - 3.11
New and improved:
Updated PyPI deploy action.
Moved agent initialization out of runner and back into middleware.
Add integration test for Assess dataflow using runner with
uwsgi
.Bump
typing-extensions
dependency to the latest version.Bump
ruamel-yaml
dependency to the latest version.Bump
isort
dependency to the latest version.Bump
structlog
dependency to latest version.Moved all packages in
contrast.extern
to newcontrast_vendor
package.Removed flask-specific middleware.
Automatic middleware hooks now set and log the detected framework.
Removed fastAPI-specific middleware.
Added policy for
urllib.parse
propagators and sanitizers.
Bug fixes:
When the ASGI scope contained a client value of None, the agent raised an exception. (PYT-2850)
When running in Protect mode, the agent incorrectly identified normal header values as attacks. (PYT-2834)
When processing an HTTP 1.1 chunked response, the agent prevents the entire response from being sent to the client. (PYT-2822)
When analyzing certain objects with
custom __bool__
implementations, the agent raised an exception. (PYT-2757)When performing Assess analysis, the agent occasionally failed to correctly determine if an unknown object was iterable. (PYT-2756)
Release date: April 25, 2023
Language versions currently supported: Python 3.7 - 3.11
Bug fixes:
When processing certain JSON request bodies, Contrast Protect did not correctly adjust input types before performing analysis. (PYT-2824)
When analyzing
mysql-connector
installations missing a C extension, Contrast Assess failed to instrument the entire library. (PYT-2820)
Release date: April 21, 2023
Language versions currently supported: Python 3.7 - 3.11
Bug fixes:
Fixed issue when using the agent in a Python 3.7 environment that does not have typing-extensions installed, the agent logger raises an exception. (PYT-2814)
Release date: April 11, 2023
Language versions currently supported: Python 3.7 - 3.11
New and improved:
Removed all bottle-specific logic from BottleMiddleware.
Updated
RuntimeError
insetup.py
to include a workaround for aarch/arm systems.Removed quart-specific middleware.
Added a lock for agent state initialization.
Added support for the latest FastAPI (0.93.*).
Changed the
AgentLib
log level.Integrated the Protect Library.
Bug fixes:
Fixed
AttributeError
:Constant
object had noelts
attribute. (PYT-2740)Fixed
UnicodeDecodeError
:utf-8
codec could not decode byte0xff
in position 0: invalid start byte. (PYT-2725)Fixed
TypeError
: module, class, method, function, traceback, frame, or code object was expected, got partial. (PYT-2664)Fixed
SystemError
:<built-in function in_scope>
returned a result with an error set. (PYT-2659)Fixed flaky pipeline step for server activity. No more flaky failures in
flask-agent-direct-teamserver-response
. (PYT-2651)
Release date: March 30, 2023
Language versions currently supported: Python 3.7 - 3.11
Bug fixes:
When trying to identify the current platform on startup, the agent raised an exception. (PYT-2777)
Release date: March 20, 2023
Language versions currently supported: Python 3.7 - 3.11
Bug fixes:
When instrumenting Bottle and Falcon applications, middlewares closer to the application than ContrastMiddleware were bypassed. (PYT-2727)
Release date: March 15, 2023
Language versions currently supported: Python 3.7 - 3.11
New and improved:
Upgraded externed wrapt from 1.14.1 to 1.15.0.
Upgraded
agent-lib
to 0.5.2Added propagation policy for
posixpath
(os.path)Bump pinned version of
contrast-agent-lib
to v0.4.0Updated copywrite message
Removed the bypass option for messages
Updated flask-sqlalchemy to 3.0.*
Added support for Quart 0.18 / Werkzeug 2.2
When app server exits, Telemetry will send any messages in queue
Deprecated SR
Added support for Python 3.11
Bug fixes:
AttributeError: 'Settings' object has no attribute 'last_update_service'. (PYT-2563)
AttributeError: 'NoneType' object has no attribute 'disabled_assess_rules'. (PYT-2559)
AttributeError: 'NoneType' object has no attribute 'reportable_format'. (PYT-2552)
Release date: March 15, 2023
Language versions currently supported: Python 3.7 - 3.10
No updates
Release date: March 13, 2023
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When the regex split result contains None, an exception occurs in the propagator. (PYT-2644)
When unicode-escape is used as encoding, LookupError occurs in path-traversal sink. (PYT-2553)
Release date: March 9, 2023
Language versions currently supported: Python 3.7 - 3.10
New and improved:
Bump contrast-agent-lib version to 0.5.2.
Release date: March 1, 2023
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When too many assess regex propagation events occurred in a single request, the agent continued to propagate regardless of assess.max_propagation_events. (PYT-2676)
Release date: February 15, 2023
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When evaluating the protect deserialization rule for pickled data, the agent easily found false positives. (PYT-2646)
Release date: January 23, 2023
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When performing Django's safe_join on a PosixPath object, the agent raised a TypeError. (PYT-2592)
Release date: January 18, 2023
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When the Contrast Service was too slow to start on server startup, the Agent failed to instrument the application. (PYT-2582)
Release date: January 11, 2023
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When the agent failed to connect to the Contrast Service, it raised an AttributeError when handling the first request to the application. (PYT-2574)
Release date: January 6, 2023
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When untrusted data was safely passed to subprocess functions using
shell=False
, the agent incorrectly reported a command injection vulnerability. (PYT-2557)
Release date: November 17, 2022
Language versions currently supported: Python 3.7 - 3.10
New and improved:
Added support for URL exclusions when communicating directly with Contrast.
Added configuration support for input exclusions directly from Contrast.
Integrated AgentLib Request End for
contrast_c::check_cmd_injection_query
Upgraded externed typing extensions to latest version.
Bug fixes:
When ASGI websocket endpoints are used with the agent enabled, the app crashes. (PYT-2517)
Release date: October 31, 2022
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When starting the Contrast Service without a path, the Agent defaults to STDOUT rather than the default file path. (PYT-2505)
Reduced frequency of server activity messages. (PYT-2484)
Release date: October 19, 2022
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When attempting to rewrite the target of an append, the agent incorrectly passes self rather than the original Attribute. (PYT-2496)
Release date: October 18, 2022
Language versions currently supported: Python 3.7 - 3.10
New and improved:
Added support for FastAPI 0.85. (PYT-2456)
Implemented PII masking in the agent. (PYT-2462)
Added a
CONTRAST__AGENT__PYTHON__REWRITE
option that disables rewriting. (PYT-2485)
Release date: October 3, 2022
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When running the agent, getting specifications in rewriter throws AttributeError. (PYT-2480)
Release date: September 28, 2022
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When running the agent, rewriter cannot find specifications path. (PYT-2476)
Release date: September 21, 2022
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
Fixed issue for when an agent receives a websocket request and a KeyError was returned. (PYT-2470)
Release date: September 20, 2022
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
Fixed issue where an application instrumented with the agent in an environment without
lxml
installed crashed. (PYT-2464)
Release date: September 1, 2022
Language versions currently supported: Python 3.7 - 3.10
New and improved:
Falcon ASGI support is now available in Python agent 5.14.0.
Added support for Django 4.
Bug fixes:
When attempting to rewrite code for instrumentation, certain code patterns result in infinite loops, resulting in application crashes. (PYT-2444)
Release date: July 11, 2022
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When
agent.service.logger
was configured to log to an unwritable path, the Contrast Service wroteDEBUG
logs tostdout
regardless of the configured log level.
Release date: June 21, 2022
Language versions currently supported: Python 3.7 - 3.10
Release date: June 13, 2022
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When sampling settings are translated from Contrast, a String vs Enum mismatch causes them to be improperly applied. (PYT-2286)
When sqli protect rule isn't enabled, a NoneType error is logged (Telemetry-reported Error). (PYT-2311)
Release date: June 7, 2022
Language versions currently supported: Python 3.7 - 3.10
Release date: May 30, 2022
Language versions currently supported: Python 3.7 - 3.10
Release date: May 27, 2022
Language versions currently supported: Python 3.7 - 3.10
Release date: May 25, 2022
Language versions currently supported: Python 3.7 - 3.10
New and improved:
Telemetry exceptions - production issues from live customer environments will be reported to our servers to help remediate bugs.
Release date: April 14, 2022
Language versions currently supported: Python 3.7 - 3.10
New and improved:
Expanded FastAPI support to version 0.75.*.
Bug fixes:
When assess configuration specifies sampling.baseline, the agent incorrectly analyzes fewer baseline requests than expected. (PYT-2238)
Release date: April 11, 2022
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When an assess-instrumented function throws any exception, the agent logs it at ERROR level even when recoverable. (PYT-2234)
Release date: April 7, 2022
Language versions currently supported: Python 3.7 - 3.10
New and improved:
Modified the agent to better support asynchronous functionality added by event.
Release date: April 5, 2022
Language versions currently supported: Python 3.7 - 3.10
New and improved:
Introduction of the Assess Sampling feature to facilitate performance tuning.
Bug fixes:
When a Django request's path is missing a required "/", the agent does not mark the route as observed. (PYT-2222)
Release date: March 30, 2022
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When Django creates a redirect response to append a trailing "/" to the URL path, the agent incorrectly finds an unvalidated redirect (PYT-2218)
Release date: March 28, 2022
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When the agent encounters an issue during assess dataflow tracking, an error level, rather than debug, log message is created, potentially filling log tools. (PYT-2196)
Release date: March 23, 2022
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When processing a request without a context, a missing
None
check results in anAttributeError
. (PYT-2168)When Protect is disabled either locally or in Contrast, the agent disables it. (PYT-2186)
Release date: March 16, 2022
Language versions currently supported: Python 3.7 - 3.10
Bug fixes:
When a Django app serves a jinja template, the agent consumes the response (PYT-2166)
When an aiohttp application in Protect mode receives a
ContrastServiceException
, an error that crashed the app occurs (PYT-2167)When an aiohttp, Fastapi, or Bottle app is onboarded, an incorrect framework name is reported (PYT-2171)
Release date: March 1, 2022
Language versions currently supported: Python 3.7 - 3.10
New and improved:
The Python agent now supports FastAPI 0.74.
Release date: February 16, 2022
Language versions currently supported: Python 3.7 - 3.10
New and improved:
Added web application framework support for AioHttp.
Release date: February 11, 2022
Language versions currently supported: Python 3.7 - 3.9
New and improved:
Support for asynchronous web application framework - AioHTTP.
Release date: February 1, 2022
Language versions currently supported: Python 3.7 - 3.9
Bug fixes:
When a protect-instrumented method receives non-UTF-8 encoded bytes, the agent fails to perform protect analysis. (PYT-2028)
Release date: January 13, 2022
Language versions currently supported: Python 3.7 - 3.9
Bug fixes:
When an application calls an instrumented method with a keyword-argument named "self", the agent throws an exception. (PYT-1998)
Release date: January 7, 2022
Language versions currently supported: Python 3.7 - 3.9
Note
Python versions 2.7.X, 3.5.X and 3.6.X are no longer supported after the Python agent 4.14.3.
Release date: December 15, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
Note
Python versions 2.7.X, 3.5.X and 3.6.X are no longer supported after the Python agent 4.14.3.
Release date: December 6, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
Bug fixes:
When handling many concurrent requests in Protect mode, the agent failed to perform path-traversal postfilter analysis. (PYT-1964)
Release date: November 30, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
Note
As of Python 4.14.1, the agent will be bundled with Contrast Service version 2.27.2.
Release date: November 23, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
New and improved:
Expanded web application framework support for Pyramid 2.
Telemetry is now enabled in the Python agent in order to gather valuable data about the agent’s functionality. The data is all anonymous, no personal information is collected.
Release date: November 18, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
New and improved:
We no longer report vulnerabilities when the value of
url_scheme
is used in a trigger.The Python agent now supports the web framework FastAPI.
Release date: October 21, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
New and improved:
Expanded web server support for uWSGI.
Expanded web server support for gUnicorn.
Expanded web server support for Uvicorn.
Architectural improvements for propagation and associated extension hooks.
Release date: September 16, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
Bug fixes:
When the agent was installed in Python 2.7, the latest version of the protobuf dependency caused agent startup failure as it dropped support for older Python versions. (PYT-1757)
Release date: September 1, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
Bug fixes:
When a Bottle or Django app received a request with certain encoded chars in the path, the agent raised a
UnicodeEncodeError
. (PYT-1742)
Release date: August 24, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
New and improved:
Implemented event limit specifications to improve performance.
Bug fixes:
When the agent tried to detect the application framework, it always picked the default one. (PYT-1707)
Release date: July 29, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
New and improved:
Performance improvements from refactoring and other optimizations.
Release date: July 8, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
Bug fixes:
When a framework test was executed in an environment in which the agent was installed, then load ordering between the test code and agent code causes an inability to track some objects. (PYT-1574)
Release date: July 1, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
New and improved:
Remove specific support of the Pylons framework given its merger with the Pyramid framework.
Expand support of the Flask framework to include the new 2.X major version.
Bug fixes:
When a vulnerability payload is too large, TeamServer cannot process the finding and rejects it. (PYT-1488)
Release date: May 21, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
New and improved:
Added support for built-in sanitization and validation in the Falcon 2.X and Pyramid Web Application Frameworks to improve vulnerability detection when Assess is enabled.
The agent now reports all dependencies used by the application, even those without Python files.
The agent now supports TRACE level logging to assist with diagnostic investigations.
The agent has been refactored to provide performance improvement during vulnerability detection and reporting when Assess is enabled.
The agent now supports MarkupSafe 2.0 as used for cross-site scripting (XSS) vulnerability protection when observing data flow when Assess is enabled.
Release date: April 28, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
Bug fixes:
When customer uploads large file to instrumented falcon route, agent performs too much analysis, causing request to fail to complete. (PYT-1476)
Release date: April 21, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
Important note:
The Python agent now supports the web framework Bottle.
New and improved:
Incremental changes were made to reduce memory usage when Assess is enabled.
Added Assess support through
pathlib.Path
objects.Pycassa library is no longer supported by the agent.
Added additional Assess support for Command Injection vulnerabilities in
os
andsubprocess
modules.Added additional Assess support for
marshal
andshelve
modules.Added additional Assess support for Path Traversal vulnerabilities in
os
,pathlib
, andshutil
modules.Added
os.path.basename
as sanitizer for Path Traversal.
Bug fixes:
When propagating through string methods with the KEEP action, Assess fails internally on length - 1 return values. (PYT-1466)
When running Assess on some alpine docker containers, the agent fails to instrument string methods, preventing application startup. (PYT-1450)
Release date: March 25, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
New and improved:
The agent now propagates through
str
multiplication.The
PyramidMiddleware
is now a WSGI-based middleware.User input that is later encoded as Base64 will now have proper dataflow context.
Bug fixes:
When attempting to instrument strings in Assess, not enough memory is allocated in some environments. (PYT-1350)
Release date: March 16, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
New and improved:
Refactored the patch manager for better instrumentation.
The agent will now fully shutdown if told to do so by the service.
Improved agent startup time and memory usage when Assess is enabled.
The agent now reports its effective instrumentation mode to the service.
Upgraded bundled service in the agent to the latest version.
Bug fixes:
When casting an object with a
__str__
method to a non-str, the agent would lose propagation through the cast propagator. (PYT-1312)When trying to instrument an application using
SQLAlchemy
, an error would be thrown ifMySQLdb
had no attribute calledCursor
. (PYT-1332)When trying to retrieve properties for an object, exceptions could be thrown if the agent attempted retrieval in an unsafe manner. (PYT-1333)
Release date: February 25, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
New and improved:
Refactored the agent's approach for handling objects with attached properties.
Updated Django support to prevent over tagging of path values within a request.
Upgraded service version bundled within the agent.
Updated dataflow action to prevent potentially unsafe propagation of tags.
Bug fixes:
When reporting a vulnerability while using legacy Django middleware, the agent would not run its final tasks if a trigger raises an error. (PYT-1257)
When trying to track dataflow through an action on a
bytes
object, the agent could fail. (PYT-1281)
Release date: February 5, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
Bug fixes:
When trying to format to lowercase hex, the format propagator would fail. We fixed this edge case. (PYT-1227)
Release date: January 29, 2021
Language versions currently supported: Python 2.7 and 3.5 - 3.9
Important note:
Support for Python 2.7 will be deprecated in 2021.
New and improved:
Added support for the Assess ReDoS rule.
Reduced the calls to retrieving Python loaded modules to improve performance.
Improved representation of dataflow with events containing keyword arguments.
Bug fixes:
The agent failed to process GET requests when handing user input from requests containing non-UTF-8 strings. Updated string handling to account for this. (PYT-1242)
When users uploaded files in a Flask application, the amount of resultant dataflow events in internal web framework code caused significant performance degradation. Given the lack of risk fo exploitation with this method, we expanded ignored methods for Flask, preventing these events and subsequent degradation. (PYT-1247)
Release date: December 17, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.9
New and improved:
Added support for Python 3.9.
Agent does not unpack method arguments when passing them into Assess rules.
Agent now ignores
.so
files from loaded modules when patching.Added route coverage support for
DjangoRestFramework
routers.Added capability of deadzoning methods to improve accuracy.
Assess stacktraces can now be configured with
assess.stacktraces
.Corrected possible string tracker age off
KeyError
on key deletion.
Release date: November 20, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Bug fixes:
Service and agent were using different environment variable to set the
config.path
. Updated CONTRAST_CONFIG_PATH value parsing to look for a file and not a directory with the YAML file. (SUP-2257, PYT-1161)
Release date: November 20, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
New and improved:
Added additional debug logging on request start and finish.
Improved library analysis support to include parsing
SOURCES.txt
.Updated timing of logging of the environment of an application.
Added logging of configuration values on any logger change.
Fixed propagation scope leak for generators.
Bug fixes:
Agent crashed in a scenario where
free()
could be called twice because of patching by Gevent.. (PYT-1164)
Release date: November 4, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
New and improved:
The agent now reports enhanced library usage on startup and at the end of each request. After a request is received by the agent, we report new files loaded for an installed package.
The agent will not report unsupported distribution types for packages.
Updated the heartbeat thread to no longer accidentally propagate and cause an error.
Release date: October 28, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
New and improved:
Added configurable Django Rest Framework (DRF) response-rendering deadzone to fix timeout errors in DRF applications.
Release date: October 23, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
New and improved:
Improved NoSQL Injection support for Assess and Protect.
NoSQLi now handles MongoDB
ObjectID
types.Added
html.escape
as a sanitizer in Assess.Added WARN level logging if the configuration required to connect to the Contrast Service is missing.
Added INFO level configuration state logging, including ENV and YAML values.
Added YAML validation and, if invalid syntax is detected, WARN level logging indicating such.
Added INFO level application identification logging
Removed strict compiler flags from extension build.
Reduced latency in Django Rest Framework's response handling.
Investigated excessive DB_WRITE propagation.
Release date: September 21, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Bug fixes:
Inability to patch held references to older versions of modules prevents instrumentation of referenced, rather than directly invoked, methods, such as in Werkzeug version 0.16.0.
Release date: September 17, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
New and improved:
Added support for Assess rules:
HttpOnly cookie flag disabled
Session cookie has no secure flag
Overly long session timeout
XPath injection rule
Trust boundary violation rules in Django, Flask, Pyramid and Pylons
Removed HTTP request methods as a dataflow source.
Added support for Assess configurations
assess.enable_scan_response
andassess.rules.disabled_rules
.
Release date: October 5, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Bug fixes:
Failed to repatch module due to
__dict__
changing size while iterating over it. (PYT-1085)
Release date: September 1, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Bug fixes:
Unable to instrument applications on OSX using locally built Python versions due to maxprot setting. (PYT-1025)
Release date: August 31, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Bug fixes:
Hardcoded analysis rules were accidentally disabled. (PYT-1027)
Release date: August 25, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Bug fixes:
When the agent was disabled, attempting to start without the Contrast service, resulted in application crash in Flask applications. (PYT-1012)
Release date: August 24, 2020
Language versions currently supported: Python 2.7 and 3.5-3.8
New features and improvements:
Instrument compile as part of the Unsafe Code Execution rule.
Decouple
ServiceClient
fromSettingsState
Use
normalized_response_headers
in DTM instead of response_headers.Refactored XSS postfilter logic for checking allowed content type.
Updated MongoDB
update_methods
to account for all arguments.Replaced FlowMap Technology Analysis.
Verifed that SR handles empty observed route url.
Merge all rules
apply_rule
into one implementation.Do not report handled exceptions in INFO/ERROR logs
Upgraded Python agent to use SR 2.11.x.
Bug fixes:
Fix and update regex used for protect XXE rule (PYT-94)
Fix error in DB write propagator. (PYT-971)
Agent fails to identify itself with new SR instance after the original SR instance goes down. (PYT-715)
Language versions currently supported: Python 2.7 and 3.5-3.8
Bug fixes:
List pip and
pkg_resources
as dependencies and/or include as external modules. (PYT-974)
Language versions currently supported: Python 2.7 and 3.5-3.8
Bug fixes:
Do not report observed route if signature is missing/empty. (PYT-970)
Language versions currently supported: Python 2.7 and 3.5-3.8
Agent versions released during the past month: 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.2.0
New features and improvements:
Added route coverage support for Django 3.0.
Added Falcon 2.0 support.
Improved accuracy of library file usage.
Improved propagation through regular expressions in Assess.
Important notes:
The team made significant internal cleanup to Request representation
Bug fixes:
Fixed a bug where regex propagation was throwing an exception under certain conditions.
Fixed a bug related to agent handling of very short JSON keys and values.
Updated protobuf dependency requirement in response to incompatibility issues with older versions.
Fixed an issue where the agent raised an internal exception for applications using certain features of pyasn1.
Fixed a bug where Django applications were unable to properly parse the Content-Type header if a charset was explicitly provided.
Improved error handling around stack trace construction.
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Agent versions released during the past month: 2.10.0
New features and improvements:
Falcon 2.0 is supported and is in beta
Upgraded Contrast Service to 2.8.1
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Agent versions released during the past month: 2.10.0
New features and improvements:
Added support for Django Rest Framework
Added copyright to all agent files
Removed the agent's external dependency on the wrapt package
Improved INFO level logging for easier tracking of applications with multiple processes
Bug fixes:
When running the agent with protobuf-3.6.1 sometimes the application crashed, which has now been resolved with a newer protobuf version.
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Agent versions released during the past month: 2.8.1, 2.8.2, 2.8.3, 2.9.0
New features and improvements:
Added initial support for Stored XSS rule in Assess for
django
framework.Added Unvalidated Redirect support for Assess for
pyramid
andwebob
objects.Made updates to reduce number of false positives from Reflected XSS rule in Assess.
Removed the agent’s external dependency on the
six
package.
Bug fixes:
When running the agent under Python 2.7 on Ubuntu 16.10 some instrumentation failed to apply, which has now been resolved.
When applications used
str.format
in certain edge cases, the agent lost dataflow propagation, which has now been resolved.