Python agent release notes

Release date: September 21, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Bug fixes:

  • Inability to patch held references to older versions of modules prevents instrumentation of referenced, rather than directly invoked, methods, such as in Werkzeug version 0.16.0.

Release date: September 17, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

New and improved:

  • Added support for Assess rules:

    • HttpOnly cookie flag disabled

    • Session cookie has no secure flag

    • Overly long session timeout

    • XPath injection rule

    • Trust boundary violation rules in Django, Flask, Pyramid and Pylons

  • Removed HTTP request methods as a dataflow source.

  • Added support for Assess configurations assess.enable_scan_response and assess.rules.disabled_rules.

Release date: September 1, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Bug fixes:

  • Unable to instrument applications on OSX using locally built Python versions due to maxprot setting. (PYT-1025)

Release date: August 31, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Bug fixes:

  • Hardcoded analysis rules were accidentally disabled. (PYT-1027)

Release date: August 25, 2020

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Bug fixes:

  • When the agent was disabled, attempting to start without the Contrast service, resulted in application crash in Flask applications. (PYT-1012)

Release date: August 24, 2020

Language versions currently supported: Python 2.7 and 3.5-3.8

New and improved:

  • Instrument compile as part of the Unsafe Code Execution rule.

  • Decouple ServiceClient from SettingsState

  • Use normalized_response_headers in DTM instead of response_headers.

  • Refactored XSS postfilter logic for checking allowed content type.

  • Updated MongoDB update_methods to account for all arguments.

  • Replaced FlowMap Technology Analysis.

  • Verifed that SR handles empty observed route url.

  • Merge all rules apply_rule into one implementation.

  • Do not report handled exceptions in INFO/ERROR logs

  • Upgraded Python agent to use SR 2.11.x.

Bug fixes:

  • Fix and update regex used for protect XXE rule (PYT-94)

  • Fix error in DB write propagator. (PYT-971)

  • Agent fails to identify itself with new SR instance after the original SR instance goes down. (PYT-715)

Language versions currently supported: Python 2.7 and 3.5-3.8

Bug fixes:

  • List pip and pkg_resources as dependencies and/or include as external modules. (PYT-974)

Language versions currently supported: Python 2.7 and 3.5-3.8

Bug fixes:

  • Do not report observed route if signature is missing/empty. (PYT-970)

Language versions currently supported: Python 2.7 and 3.5-3.8

Agent versions released during the past month: 3.0.1, 3.1.0, 3.1.1, 3.1.2, 3.2.0

New and improved:

  • Added route coverage support for Django 3.0.

  • Added Falcon 2.0 support.

  • Improved accuracy of library file usage.

  • Improved propagation through regular expressions in Assess.

Important notes:

  • The team made significant internal cleanup to Request representation

Bug fixes:

  • Fixed a bug where regex propagation was throwing an exception under certain conditions.

  • Fixed a bug related to agent handling of very short JSON keys and values.

  • Updated protobuf dependency requirement in response to incompatibility issues with older versions.

  • Fixed an issue where the agent raised an internal exception for applications using certain features of pyasn1.

  • Fixed a bug where Django applications were unable to properly parse the Content-Type header if a charset was explicitly provided.

  • Improved error handling around stack trace construction.

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Agent versions released during the past month: 2.10.0

New and improved:

  • Falcon 2.0 is supported and is in beta

  • Upgraded Contrast Service to 2.8.1

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Agent versions released during the past month: 2.10.0

New and improved:

  • Added support for Django Rest Framework

  • Added copyright to all agent files

  • Removed the agent's external dependency on the wrapt package

  • Improved INFO level logging for easier tracking of applications with multiple processes

Bug fixes:

  • When running the agent with protobuf-3.6.1 sometimes the application crashed, which has now been resolved with a newer protobuf version.

Language versions currently supported: Python 2.7 and 3.5 - 3.8

Agent versions released during the past month: 2.8.1, 2.8.2, 2.8.3, 2.9.0

New and improved:

  • Added initial support for Stored XSS rule in Assess for django framework.

  • Added Unvalidated Redirect support for Assess for pyramid and webob objects.

  • Made updates to reduce number of false positives from Reflected XSS rule in Assess.

  • Removed the agent’s external dependency on the six package.

Bug fixes:

  • When running the agent under Python 2.7 on Ubuntu 16.10 some instrumentation failed to apply, which has now been resolved.

  • When applications used str.format in certain edge cases, the agent lost dataflow propagation, which has now been resolved.