Python agent release notes

Release date: December 17, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.9

New and improved:

  • Added support for Python 3.9.

  • Agent does not unpack method arguments when passing them into Assess rules.

  • Agent now ignores .so files from loaded modules when patching.

  • Added route coverage support for DjangoRestFramework routers.

  • Added capability of deadzoning methods to improve accuracy.

  • Assess stacktraces can now be configured with assess.stacktraces.

  • Corrected possible string tracker age off KeyError on key deletion.

Release date: November 20, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Bug fixes:

  • Service and agent were using different environment variable to set the config.path. Updated CONTRAST_CONFIG_PATH value parsing to look for a file and not a directory with the YAML file. (SUP-2257, PYT-1161)

Release date: November 20, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

New and improved:

  • Added additional debug logging on request start and finish.

  • Improved library analysis support to include parsing SOURCES.txt.

  • Updated timing of logging of the environment of an application.

  • Added logging of configuration values on any logger change.

  • Fixed propagation scope leak for generators.

Bug fixes:

  • Agent crashed in a scenario where free() could be called twice because of patching by Gevent.. (PYT-1164)

Release date: November 4, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

New and improved:

  • The agent now reports enhanced library usage on startup and at the end of each request. After a request is received by the agent, we report new files loaded for an installed package.

  • The agent will not report unsupported distribution types for packages.

  • Updated the heartbeat thread to no longer accidentally propagate and cause an error.

Release date: October 28, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

New and improved:

  • Added configurable Django Rest Framework (DRF) response-rendering deadzone to fix timeout errors in DRF applications.

Release date: October 23, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

New and improved:

  • Improved NoSQL Injection support for Assess and Protect.

  • NoSQLi now handles MongoDB ObjectID types.

  • Added html.escape as a sanitizer in Assess.

  • Added WARN level logging if the configuration required to connect to the Contrast Service is missing.

  • Added INFO level configuration state logging, including ENV and YAML values.

  • Added YAML validation and, if invalid syntax is detected, WARN level logging indicating such.

  • Added INFO level application identification logging

  • Removed strict compiler flags from extension build.

  • Reduced latency in Django Rest Framework's response handling.

  • Investigated excessive DB_WRITE propagation.

Release date: October 5, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Bug fixes:

  • Failed to repatch module due to __dict__ changing size while iterating over it. (PYT-1085)

Release date: September 21, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Bug fixes:

  • Inability to patch held references to older versions of modules prevents instrumentation of referenced, rather than directly invoked, methods, such as in Werkzeug version 0.16.0.

Release date: September 17, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

New and improved:

  • Added support for Assess rules:

    • HttpOnly cookie flag disabled

    • Session cookie has no secure flag

    • Overly long session timeout

    • XPath injection rule

    • Trust boundary violation rules in Django, Flask, Pyramid and Pylons

  • Removed HTTP request methods as a dataflow source.

  • Added support for Assess configurations assess.enable_scan_response and assess.rules.disabled_rules.

Release date: September 1, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Bug fixes:

  • Unable to instrument applications on OSX using locally built Python versions due to maxprot setting. (PYT-1025)

Release date: August 31, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Bug fixes:

  • Hardcoded analysis rules were accidentally disabled. (PYT-1027)

Release date: August 25, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Bug fixes:

  • When the agent was disabled, attempting to start without the Contrast service, resulted in application crash in Flask applications. (PYT-1012)

Release date: August 24, 2020

Language versions currently supported: Python 2.7 and 3.5-3.8

New and improved:

  • Instrument compile as part of the Unsafe Code Execution rule.

  • Decouple ServiceClient from SettingsState

  • Use normalized_response_headers in DTM instead of response_headers.

  • Refactored XSS postfilter logic for checking allowed content type.

  • Updated MongoDB update_methods to account for all arguments.

  • Replaced FlowMap Technology Analysis.

  • Verifed that SR handles empty observed route url.

  • Merge all rules apply_rule into one implementation.

  • Do not report handled exceptions in INFO/ERROR logs

  • Upgraded Python agent to use SR 2.11.x.

Bug fixes:

  • Fix and update regex used for protect XXE rule (PYT-94)

  • Fix error in DB write propagator. (PYT-971)

  • Agent fails to identify itself with new SR instance after the original SR instance goes down. (PYT-715)

Language versions currently supported: Python 2.7 and 3.5-3.8

Bug fixes:

  • List pip and pkg_resources as dependencies and/or include as external modules. (PYT-974)

Language versions currently supported: Python 2.7 and 3.5-3.8

Bug fixes:

  • Do not report observed route if signature is missing/empty. (PYT-970)

Language versions currently supported: Python 2.7 and 3.5-3.8

Agent versions released during the past month: 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.2.0

New and improved:

  • Added route coverage support for Django 3.0.

  • Added Falcon 2.0 support.

  • Improved accuracy of library file usage.

  • Improved propagation through regular expressions in Assess.

Important notes:

  • The team made significant internal cleanup to Request representation

Bug fixes:

  • Fixed a bug where regex propagation was throwing an exception under certain conditions.

  • Fixed a bug related to agent handling of very short JSON keys and values.

  • Updated protobuf dependency requirement in response to incompatibility issues with older versions.

  • Fixed an issue where the agent raised an internal exception for applications using certain features of pyasn1.

  • Fixed a bug where Django applications were unable to properly parse the Content-Type header if a charset was explicitly provided.

  • Improved error handling around stack trace construction.

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Agent versions released during the past month: 2.10.0

New and improved:

  • Falcon 2.0 is supported and is in beta

  • Upgraded Contrast Service to 2.8.1

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Agent versions released during the past month: 2.10.0

New and improved:

  • Added support for Django Rest Framework

  • Added copyright to all agent files

  • Removed the agent's external dependency on the wrapt package

  • Improved INFO level logging for easier tracking of applications with multiple processes

Bug fixes:

  • When running the agent with protobuf-3.6.1 sometimes the application crashed, which has now been resolved with a newer protobuf version.

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Agent versions released during the past month: 2.8.1, 2.8.2, 2.8.3, 2.9.0

New and improved:

  • Added initial support for Stored XSS rule in Assess for django framework.

  • Added Unvalidated Redirect support for Assess for pyramid and webob objects.

  • Made updates to reduce number of false positives from Reflected XSS rule in Assess.

  • Removed the agent’s external dependency on the six package.

Bug fixes:

  • When running the agent under Python 2.7 on Ubuntu 16.10 some instrumentation failed to apply, which has now been resolved.

  • When applications used str.format in certain edge cases, the agent lost dataflow propagation, which has now been resolved.