Python agent release notes

Release date: September 16, 2021

Language versions currently supported: Python 2.7 and 3.5 - 3.9

Bug fixes:

  • When the agent was installed in Python 2.7, the latest version of the protobuf dependency caused agent startup failure as it dropped support for older Python versions. (PYT-1757)

Release date: September 1, 2021

Language versions currently supported: Python 2.7 and 3.5 - 3.9

Bug fixes:

  • When a Bottle or Django app received a request with certain encoded chars in the path, the agent raised a UnicodeEncodeError. (PYT-1742)

Release date: August 24, 2021

Language versions currently supported: Python 2.7 and 3.5 - 3.9

New and improved:

  • Implemented event limit specifications to improve performance.

Bug fixes:

  • When the agent tried to detect the application framework, it always picked the default one. (PYT-1707)

Release date: July 29, 2021

Language versions currently supported: Python 2.7 and 3.5 - 3.9

New and improved:

  • Performance improvements from refactoring and other optimizations.

Release date: July 8, 2021

Language versions currently supported: Python 2.7 and 3.5 - 3.9

Bug fixes:

  • When a framework test was executed in an environment in which the agent was installed, then load ordering between the test code and agent code causes an inability to track some objects. (PYT-1574)

Release date: July 1, 2021

Language versions currently supported: Python 2.7 and 3.5 - 3.9

New and improved:

  • Remove specific support of the Pylons framework given its merger with the Pyramid framework.

  • Expand support of the Flask framework to include the new 2.X major version.

Bug fixes:

  • When a vulnerability payload is too large, TeamServer cannot process the finding and rejects it. (PYT-1488)

Release date: May 21, 2021

Language versions currently supported: Python 2.7 and 3.5 - 3.9

New and improved:

  • Added support for built-in sanitization and validation in the Falcon 2.X and Pyramid Web Application Frameworks to improve vulnerability detection when Assess is enabled.

  • The agent now reports all dependencies used by the application, even those without Python files.

  • The agent now supports TRACE level logging to assist with diagnostic investigations.

  • The agent has been refactored to provide performance improvement during vulnerability detection and reporting when Assess is enabled.

  • The agent now supports MarkupSafe 2.0 as used for cross-site scripting (XSS) vulnerability protection when observing data flow when Assess is enabled.

Release date: April 28, 2021

Language versions currently supported: Python 2.7 and 3.5 - 3.9

Bug fixes:

  • When customer uploads large file to instrumented falcon route, agent performs too much analysis, causing request to fail to complete. (PYT-1476)

Release date: April 21, 2021

Language versions currently supported: Python 2.7 and 3.5 - 3.9

Important note:

  • The Python agent now supports the web framework Bottle.

New and improved:

  • Incremental changes were made to reduce memory usage when Assess is enabled.

  • Added Assess support through pathlib.Path objects.

  • Pycassa library is no longer supported by the agent.

  • Added additional Assess support for Command Injection vulnerabilities in os and subprocess modules.

  • Added additional Assess support for marshal and shelve modules.

  • Added additional Assess support for Path Traversal vulnerabilities in os, pathlib, and shutil modules.

  • Added os.path.basename as sanitizer for Path Traversal.

Bug fixes:

  • When propagating through string methods with the KEEP action, Assess fails internally on length - 1 return values. (PYT-1466)

  • When running Assess on some alpine docker containers, the agent fails to instrument string methods, preventing application startup. (PYT-1450)

Release date: March 25, 2021

Language versions currently supported: Python 2.7 and 3.5 - 3.9

New and improved:

  • The agent now propagates through str multiplication.

  • The PyramidMiddleware is now a WSGI-based middleware.

  • User input that is later encoded as Base64 will now have proper dataflow context.

Bug fixes:

  • When attempting to instrument strings in Assess, not enough memory is allocated in some environments. (PYT-1350)

Release date: March 16, 2021

Language versions currently supported: Python 2.7 and 3.5 - 3.9

New and improved:

  • Refactored the patch manager for better instrumentation.

  • The agent will now fully shutdown if told to do so by the service.

  • Improved agent startup time and memory usage when Assess is enabled.

  • The agent now reports its effective instrumentation mode to the service.

  • Upgraded bundled service in the agent to the latest version.

Bug fixes:

  • When casting an object with a __str__ method to a non-str, the agent would lose propagation through the cast propagator. (PYT-1312)

  • When trying to instrument an application using SQLAlchemy, an error would be thrown if MySQLdb had no attribute called Cursor. (PYT-1332)

  • When trying to retrieve properties for an object, exceptions could be thrown if the agent attempted retrieval in an unsafe manner. (PYT-1333)

Release date: February 25, 2021

Language versions currently supported: Python 2.7 and 3.5 - 3.9

New and improved:

  • Refactored the agent's approach for handling objects with attached properties.

  • Updated Django support to prevent over tagging of path values within a request.

  • Upgraded service version bundled within the agent.

  • Updated dataflow action to prevent potentially unsafe propagation of tags.

Bug fixes:

  • When reporting a vulnerability while using legacy Django middleware, the agent would not run its final tasks if a trigger raises an error. (PYT-1257)

  • When trying to track dataflow through an action on a bytes object, the agent could fail. (PYT-1281)

Release date: February 5, 2021

Language versions currently supported: Python 2.7 and 3.5 - 3.9

Bug fixes:

  • When trying to format to lowercase hex, the format propagator would fail. We fixed this edge case. (PYT-1227)

Release date: January 29, 2021

Language versions currently supported: Python 2.7 and 3.5 - 3.9

Important note:

  • Support for Python 2.7 will be deprecated in 2021.

New and improved:

  • Added support for the Assess ReDoS rule.

  • Reduced the calls to retrieving Python loaded modules to improve performance.

  • Improved representation of dataflow with events containing keyword arguments.

Bug fixes:

  • The agent failed to process GET requests when handing user input from requests containing non-UTF-8 strings. Updated string handling to account for this. (PYT-1242)

  • When users uploaded files in a Flask application, the amount of resultant dataflow events in internal web framework code caused significant performance degradation. Given the lack of risk fo exploitation with this method, we expanded ignored methods for Flask, preventing these events and subsequent degradation. (PYT-1247)

Release date: December 17, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.9

New and improved:

  • Added support for Python 3.9.

  • Agent does not unpack method arguments when passing them into Assess rules.

  • Agent now ignores .so files from loaded modules when patching.

  • Added route coverage support for DjangoRestFramework routers.

  • Added capability of deadzoning methods to improve accuracy.

  • Assess stacktraces can now be configured with assess.stacktraces.

  • Corrected possible string tracker age off KeyError on key deletion.

Release date: November 20, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Bug fixes:

  • Service and agent were using different environment variable to set the config.path. Updated CONTRAST_CONFIG_PATH value parsing to look for a file and not a directory with the YAML file. (SUP-2257, PYT-1161)

Release date: November 20, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

New and improved:

  • Added additional debug logging on request start and finish.

  • Improved library analysis support to include parsing SOURCES.txt.

  • Updated timing of logging of the environment of an application.

  • Added logging of configuration values on any logger change.

  • Fixed propagation scope leak for generators.

Bug fixes:

  • Agent crashed in a scenario where free() could be called twice because of patching by Gevent.. (PYT-1164)

Release date: November 4, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

New and improved:

  • The agent now reports enhanced library usage on startup and at the end of each request. After a request is received by the agent, we report new files loaded for an installed package.

  • The agent will not report unsupported distribution types for packages.

  • Updated the heartbeat thread to no longer accidentally propagate and cause an error.

Release date: October 28, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

New and improved:

  • Added configurable Django Rest Framework (DRF) response-rendering deadzone to fix timeout errors in DRF applications.

Release date: October 23, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

New and improved:

  • Improved NoSQL Injection support for Assess and Protect.

  • NoSQLi now handles MongoDB ObjectID types.

  • Added html.escape as a sanitizer in Assess.

  • Added WARN level logging if the configuration required to connect to the Contrast Service is missing.

  • Added INFO level configuration state logging, including ENV and YAML values.

  • Added YAML validation and, if invalid syntax is detected, WARN level logging indicating such.

  • Added INFO level application identification logging

  • Removed strict compiler flags from extension build.

  • Reduced latency in Django Rest Framework's response handling.

  • Investigated excessive DB_WRITE propagation.

Release date: October 5, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Bug fixes:

  • Failed to repatch module due to __dict__ changing size while iterating over it. (PYT-1085)

Release date: September 21, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Bug fixes:

  • Inability to patch held references to older versions of modules prevents instrumentation of referenced, rather than directly invoked, methods, such as in Werkzeug version 0.16.0.

Release date: September 17, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

New and improved:

  • Added support for Assess rules:

    • HttpOnly cookie flag disabled

    • Session cookie has no secure flag

    • Overly long session timeout

    • XPath injection rule

    • Trust boundary violation rules in Django, Flask, Pyramid and Pylons

  • Removed HTTP request methods as a dataflow source.

  • Added support for Assess configurations assess.enable_scan_response and assess.rules.disabled_rules.

Release date: September 1, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Bug fixes:

  • Unable to instrument applications on OSX using locally built Python versions due to maxprot setting. (PYT-1025)

Release date: August 31, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Bug fixes:

  • Hardcoded analysis rules were accidentally disabled. (PYT-1027)

Release date: August 25, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Bug fixes:

  • When the agent was disabled, attempting to start without the Contrast service, resulted in application crash in Flask applications. (PYT-1012)

Release date: August 24, 2020

Language versions currently supported: Python 2.7 and 3.5-3.8

New and improved:

  • Instrument compile as part of the Unsafe Code Execution rule.

  • Decouple ServiceClient from SettingsState

  • Use normalized_response_headers in DTM instead of response_headers.

  • Refactored XSS postfilter logic for checking allowed content type.

  • Updated MongoDB update_methods to account for all arguments.

  • Replaced FlowMap Technology Analysis.

  • Verifed that SR handles empty observed route url.

  • Merge all rules apply_rule into one implementation.

  • Do not report handled exceptions in INFO/ERROR logs

  • Upgraded Python agent to use SR 2.11.x.

Bug fixes:

  • Fix and update regex used for protect XXE rule (PYT-94)

  • Fix error in DB write propagator. (PYT-971)

  • Agent fails to identify itself with new SR instance after the original SR instance goes down. (PYT-715)

Language versions currently supported: Python 2.7 and 3.5-3.8

Bug fixes:

  • List pip and pkg_resources as dependencies and/or include as external modules. (PYT-974)

Language versions currently supported: Python 2.7 and 3.5-3.8

Bug fixes:

  • Do not report observed route if signature is missing/empty. (PYT-970)

Language versions currently supported: Python 2.7 and 3.5-3.8

Agent versions released during the past month: 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.2.0

New and improved:

  • Added route coverage support for Django 3.0.

  • Added Falcon 2.0 support.

  • Improved accuracy of library file usage.

  • Improved propagation through regular expressions in Assess.

Important notes:

  • The team made significant internal cleanup to Request representation

Bug fixes:

  • Fixed a bug where regex propagation was throwing an exception under certain conditions.

  • Fixed a bug related to agent handling of very short JSON keys and values.

  • Updated protobuf dependency requirement in response to incompatibility issues with older versions.

  • Fixed an issue where the agent raised an internal exception for applications using certain features of pyasn1.

  • Fixed a bug where Django applications were unable to properly parse the Content-Type header if a charset was explicitly provided.

  • Improved error handling around stack trace construction.

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Agent versions released during the past month: 2.10.0

New and improved:

  • Falcon 2.0 is supported and is in beta

  • Upgraded Contrast Service to 2.8.1

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Agent versions released during the past month: 2.10.0

New and improved:

  • Added support for Django Rest Framework

  • Added copyright to all agent files

  • Removed the agent's external dependency on the wrapt package

  • Improved INFO level logging for easier tracking of applications with multiple processes

Bug fixes:

  • When running the agent with protobuf-3.6.1 sometimes the application crashed, which has now been resolved with a newer protobuf version.

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Agent versions released during the past month: 2.8.1, 2.8.2, 2.8.3, 2.9.0

New and improved:

  • Added initial support for Stored XSS rule in Assess for django framework.

  • Added Unvalidated Redirect support for Assess for pyramid and webob objects.

  • Made updates to reduce number of false positives from Reflected XSS rule in Assess.

  • Removed the agent’s external dependency on the six package.

Bug fixes:

  • When running the agent under Python 2.7 on Ubuntu 16.10 some instrumentation failed to apply, which has now been resolved.

  • When applications used str.format in certain edge cases, the agent lost dataflow propagation, which has now been resolved.