Ruby agent release notes

Release date: December 20, 2021

Language versions currently supported: 2.5 - 3.0

Note

Ruby 2.5 is no longer supported after the Ruby agent 4.14.1.

Release date: December 7, 2021

Language versions currently supported: 2.5 - 3.0

Release date: November 19, 2021

Language versions currently supported: 2.5 - 3.0

Bug fixes:

  • When attempting to write to the filesystem, if the directory is inaccessible, then an uncaught exception may cause a crash. (RUBY-1420)

Release date: November 11, 2021

Language versions currently supported: 2.5 - 3.0

New and improved:

  • Support for Puma web server.

  • Support for Thin web server.

  • Telemetry is now enabled in the Ruby agent in order to gather valuable data about the agent’s functionality. The data is all anonymous, no personal information is collected.

Archive

Release date: October 14, 2021

Language versions currently supported: 2.5 - 3.0

Bug fixes:

  • When a fork is called in a Rails application that has hooked ActiveSupport::ForkTracker, it conflicts between aliasing and prepending result in no superclass method \fork', causing the rails application to fail during agent start-up. (RUBY-1352)

  • When looking up cached strings prior to Ruby 2.7, cache collisions could cause the wrong representation to be reported. (RUBY-1325)

Release date: September 23, 2021

Language versions currently supported: 2.5 - 3.0

Bug fixes:

  • When determining if a closed stream should be copied, an IOError is raised. (RUBY-1318)

  • When the agent logs patching a class extending ActiveRecord model with has_and_belongs_to_many before c is determined, then table_name is permanently set to ''.(RUBY-1322)

Release date: August 26, 2021

Language versions currently supported: 2.5 - 3.0

New and improved:

  • Improved agent performance, reducing impact to instrumented application.

  • Support for Grape application framework.

Release date: July 15, 2021

Language versions currently supported: 2.5 - 3.0

Bug fixes:

  • When a Rake task was executed for an application instrumented with Contrast, an erroneous include prevented the loading of Contrast tasks. (RUBY-1247)

Release date: June 24, 2021

Language versions currently supported: 2.5 - 3.0

New and improved:

  • Improved runtime performance and round-trip time by optimizing dynamic components.

Release date: May 20, 2021

Language versions currently supported: 2.5 - 3.0

New and improved:

  • Added support for built-in sanitization and validation in the Rails and Sinatra Web Application Frameworks to improve vulnerability detection when Assess is enabled.

Release date: May 10, 2021

Language versions currently supported: 2.5 - 3.0

Bug Fixes:

  • When a user tries to install the agent in an application requiring Parser 3.0 or later, then a dependency conflict prevents installation. (RUBY-1195)

Release date: April 22, 2021

Language versions currently supported: 2.5 - 3.0

New and improved:

  • Various updates are included in this release to improve memory usage and all around performance when Assess is enabled.

Release date: March 25, 2021

Language versions currently supported: 2.5 - 2.7

New and improved:

  • The agent now has improved stacktrace reporting.

  • Added []= Hash Equals key tracking for Ruby 3.0.

  • The Ruby Agent now reports its effective instrumentation mode.

  • The agent will now ignore methods for ActionDispatch::Http::URL.

  • Updated patching for :+ patching in Ruby 3.0.

  • Updated copyright to 2021.

Bug fixes:

  • When reading overrides for the mode of individual Protect rules from local configuration, a translation error prevented rules from enabling Blocking mode. (RUBY-1134)

Release date: March 10, 2021

Language versions currently supported: 2.5 - 2.7

Bug fixes:

  • When trying to startup a Rails application, an exception is thrown in ActionController::Railties::Helper::ClassMethods if it is missing the inherited method. (RUBY-1127)

Release date: February 25, 2021

Language versions currently supported: 2.5 - 2.7

New and improved:

  • The agent now determines Sinatra routes from Middleware#call instead of Sinatra::Base.

Bug fixes:

  • When the ReDos Assess rule is disabled, the vulnerability could still be reported. (RUBY-1113)

Release date: February 12, 2021

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Upgraded the service for latest updates.

Release date: February 5, 2021

Language versions currently supported: 2.5 - 2.7

Bug fixes:

  • When rendering a template with ActionView, a patched method would cause issues in the rendering process. We removed this patching to solve this issue. (RUBY-1102)

Release date: January 29, 2021

Language versions currently supported: 2.5 - 2.7

Important note:

  • Support for Ruby 2.5 will be deprecated in April 2021.

New and improved:

  • Modified String#split Assess dataflow analysis to improve performance of String tracking operations.

  • Added the ability to configure capturing Assess stack traces with assess.stacktraces.

  • The agent now does library discovery in a background thread to improve startup performance.

  • Modified dataflow tracking in Assess to short circuit sooner, avoiding the need to create intermediate objects when processing non-user input data.

  • The agent now ignores certain methods for dataflow in Rails to improve performance.

Bug fixes:

  • When a dataflow event occurs, a memory leak happens when we track data. We fixed the duplicated key stop the leak. (RUBY-1081)

Release date: December 18, 2020

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Improved array.rb tracking performance when Assess is enabled.

  • Improved application context tracking performance when Assess is enabled.

Release date: November 20, 2020

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Improved stability and accuracy of Assess and Protect rules

Release date: November 5, 2020

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Added Assess propagation and tracking for MatchData#string.

  • The agent now reports enhanced library usage on startup and at the end of each request. After a request is received by the agent, we report new files loaded for an installed package.

  • Added configuration to disable library analysis.

  • Improved performance of scanning based rules like Hardcoded Key/Password.

Release date: October 23, 2020

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Added WARN level logging if the configuration required to connect to the Contrast service is missing.

  • Added INFO level application identification logging.

  • Improved agent detection of hardcoded password/cryptographic key for non-literal hardcoded values.

Release date: September 17, 2020

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Added support for Unicorn 4 and 5.

  • Improved Object tracking to account for frozen Objects.

  • Improved gemspec filtering to prevent precompiled files from being packaged in the gem.

  • Added warning if common config YAML contains invalid syntax when parsing.

  • Agent now logs full configuration state including ENV and YAML values.

Release date: August 24, 2020

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Added logging for request start.

  • Added logging for request end.

  • Updated Unsafe File Upload detection to correctly handle auto-generaged Rack::Multipart tempfile.

  • Added support for Rails engine routes for route coverage.

  • Removed the Kernel#require tracker.

  • Refactored dataflow tracing to function along side of, rather than directly on, String instances, reducing pollution of existing name and method spaces.

  • Updated RuboCop compliance.

Release date: July 29, 2020

Language versions currently supported: 2.5 - 2.7

Bug fixes:

  • False positive in our usage of rack.session cookie in Sinatra applications (RUBY-959)

Release date: July 24, 2020

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Updated Speedracer version to 2.9.5/20200723-1734.d8d4139 (RUBY-957)

Language versions currently supported: 2.5-2.7

Agent versions released during the past month: 3.12.1, 3.12.2, 3.13.0

New and improved:

  • Replaced google-protobuf with protobuf.

  • Improved logging to include Thread Id as well as Process Id.

  • Removed custom Contrast::InternalException in favor of common exception types to improve error handling.

Important notes:

  • The change of dependency from google-protobuf to protobuf, removes the need to execute the bundle config force_ruby_platform true command before installation.

  • In 2020, the cucumber project forked protobuf for their own use in a way that is incompatible with the main branch. As such, you cannot run any project using cucumber-messages above version 8.0.0 as it depends on the incompatible protobuf-cucumber.

Bug fixes:

  • Improved handling of logging to unwritable destinations.

  • Improved handling of propagation to children of the String class.

  • Improved handling of propagation through Regular Expression where the result of a match is nil.

Language versions currently supported: 2.5-2.7

Agent versions released during the past month: 3.12.0

New and improved:

  • Caching of settings to improve performance and reduce memory impact

Important notes:

  • Deprecation of CSRF Assess and Protect rules

Language versions currently supported: 2.5 - 2.7

Agent versions released during the past month: 3.10.1, 3.10.2, 3.11.0

New and improved:

  • Improved Stack Trace capturing

  • Improved library analysis performance leading to a decrease in first request penalty

Important notes:

  • The Agent now supports TRACE level logging. Those running with DEBUG logging should see a significant decrease in logged events

Language versions currently supported: 2.4 - 2.7

Agent versions released during the past month: 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.9.0

New and improved:

  • Enhanced module definition detection using TracePoint

Important notes:

  • This will be the last on-premises release bundled with a gem that supports Ruby 2.4.

  • It is recommended to use RubyGems at this point.