Python agent release notes
Release date: December 17, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.9
New and improved:
Added support for Python 3.9.
Agent does not unpack method arguments when passing them into Assess rules.
Agent now ignores
.so
files from loaded modules when patching.Added route coverage support for
DjangoRestFramework
routers.Added capability of deadzoning methods to improve accuracy.
Assess stacktraces can now be configured with
assess.stacktraces
.Corrected possible string tracker age off
KeyError
on key deletion.
Release date: November 20, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Bug fixes:
Service and agent were using different environment variable to set the
config.path
. Updated CONTRAST_CONFIG_PATH value parsing to look for a file and not a directory with the YAML file. (SUP-2257, PYT-1161)
Release date: November 20, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
New and improved:
Added additional debug logging on request start and finish.
Improved library analysis support to include parsing
SOURCES.txt
.Updated timing of logging of the environment of an application.
Added logging of configuration values on any logger change.
Fixed propagation scope leak for generators.
Bug fixes:
Agent crashed in a scenario where
free()
could be called twice because of patching by Gevent.. (PYT-1164)
Release date: November 4, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
New and improved:
The agent now reports enhanced library usage on startup and at the end of each request. After a request is received by the agent, we report new files loaded for an installed package.
The agent will not report unsupported distribution types for packages.
Updated the heartbeat thread to no longer accidentally propagate and cause an error.
Release date: October 28, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
New and improved:
Added configurable Django Rest Framework (DRF) response-rendering deadzone to fix timeout errors in DRF applications.
Release date: October 23, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
New and improved:
Improved NoSQL Injection support for Assess and Protect.
NoSQLi now handles MongoDB
ObjectID
types.Added
html.escape
as a sanitizer in Assess.Added WARN level logging if the configuration required to connect to the Contrast Service is missing.
Added INFO level configuration state logging, including ENV and YAML values.
Added YAML validation and, if invalid syntax is detected, WARN level logging indicating such.
Added INFO level application identification logging
Removed strict compiler flags from extension build.
Reduced latency in Django Rest Framework's response handling.
Investigated excessive DB_WRITE propagation.
Release date: October 5, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Bug fixes:
Failed to repatch module due to
__dict__
changing size while iterating over it. (PYT-1085)
Release date: September 21, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Bug fixes:
Inability to patch held references to older versions of modules prevents instrumentation of referenced, rather than directly invoked, methods, such as in Werkzeug version 0.16.0.
Release date: September 17, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
New and improved:
Added support for Assess rules:
HttpOnly cookie flag disabled
Session cookie has no secure flag
Overly long session timeout
XPath injection rule
Trust boundary violation rules in Django, Flask, Pyramid and Pylons
Removed HTTP request methods as a dataflow source.
Added support for Assess configurations
assess.enable_scan_response
andassess.rules.disabled_rules
.
Release date: September 1, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Bug fixes:
Unable to instrument applications on OSX using locally built Python versions due to maxprot setting. (PYT-1025)
Release date: August 31, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Bug fixes:
Hardcoded analysis rules were accidentally disabled. (PYT-1027)
Release date: August 25, 2020
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Bug fixes:
When the agent was disabled, attempting to start without the Contrast service, resulted in application crash in Flask applications. (PYT-1012)
Release date: August 24, 2020
Language versions currently supported: Python 2.7 and 3.5-3.8
New and improved:
Instrument compile as part of the Unsafe Code Execution rule.
Decouple
ServiceClient
fromSettingsState
Use
normalized_response_headers
in DTM instead of response_headers.Refactored XSS postfilter logic for checking allowed content type.
Updated MongoDB
update_methods
to account for all arguments.Replaced FlowMap Technology Analysis.
Verifed that SR handles empty observed route url.
Merge all rules
apply_rule
into one implementation.Do not report handled exceptions in INFO/ERROR logs
Upgraded Python agent to use SR 2.11.x.
Bug fixes:
Fix and update regex used for protect XXE rule (PYT-94)
Fix error in DB write propagator. (PYT-971)
Agent fails to identify itself with new SR instance after the original SR instance goes down. (PYT-715)
Language versions currently supported: Python 2.7 and 3.5-3.8
Bug fixes:
List pip and
pkg_resources
as dependencies and/or include as external modules. (PYT-974)
Language versions currently supported: Python 2.7 and 3.5-3.8
Bug fixes:
Do not report observed route if signature is missing/empty. (PYT-970)
Language versions currently supported: Python 2.7 and 3.5-3.8
Agent versions released during the past month: 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.2.0
New and improved:
Added route coverage support for Django 3.0.
Added Falcon 2.0 support.
Improved accuracy of library file usage.
Improved propagation through regular expressions in Assess.
Important notes:
The team made significant internal cleanup to Request representation
Bug fixes:
Fixed a bug where regex propagation was throwing an exception under certain conditions.
Fixed a bug related to agent handling of very short JSON keys and values.
Updated protobuf dependency requirement in response to incompatibility issues with older versions.
Fixed an issue where the agent raised an internal exception for applications using certain features of pyasn1.
Fixed a bug where Django applications were unable to properly parse the Content-Type header if a charset was explicitly provided.
Improved error handling around stack trace construction.
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Agent versions released during the past month: 2.10.0
New and improved:
Falcon 2.0 is supported and is in beta
Upgraded Contrast Service to 2.8.1
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Agent versions released during the past month: 2.10.0
New and improved:
Added support for Django Rest Framework
Added copyright to all agent files
Removed the agent's external dependency on the wrapt package
Improved INFO level logging for easier tracking of applications with multiple processes
Bug fixes:
When running the agent with protobuf-3.6.1 sometimes the application crashed, which has now been resolved with a newer protobuf version.
Language versions currently supported: Python 2.7 and 3.5 - 3.8
Agent versions released during the past month: 2.8.1, 2.8.2, 2.8.3, 2.9.0
New and improved:
Added initial support for Stored XSS rule in Assess for
django
framework.Added Unvalidated Redirect support for Assess for
pyramid
andwebob
objects.Made updates to reduce number of false positives from Reflected XSS rule in Assess.
Removed the agent’s external dependency on the
six
package.
Bug fixes:
When running the agent under Python 2.7 on Ubuntu 16.10 some instrumentation failed to apply, which has now been resolved.
When applications used
str.format
in certain edge cases, the agent lost dataflow propagation, which has now been resolved.