Ruby agent release notes

Update to our internal policies and corresponding policy tests.

Performance improvements from bug fixes: Ruby-1740, Ruby-1742.

When we try to extract routes from ActionDispatch::Routing::RouteSet::Dispatcher, an exception that may cause CPU spikes or server outages occurs. (RUBY-1737)

When contrast_post_patch was being called twice during applying patches, it caused performance issues and other various bugs. (Ruby-1740)

When calling to_sym on a string, the propagation breaks. (Ruby-1741)

When evaluating Assess rule violation, sometimes multiple events were created. (Ruby-1742)

When the Ruby Agent has large memory usage, it crashes since PROPERTIES_HASH is not getting cleaned up. (Ruby-1747)

When added to an application with google-protobuf, a namespace collision prevents installation. (RUBY-1736)

Telemetry exceptions - production issues from live customer environments will be reported to our servers to help remediate bugs.

New diagnostic executable to help troubleshoot settings, connectivity, and configuration lookup.

When multiple exceptions are queued for reporting, translating them to JSON may cause the agent to bloat application memory usage. (RUBY-1698)

When body of type Rack::Files or Rack::Files::Iterator is passed, the agent is not able to handle that body type and throws an error. (RUBY-1710)

When given a non-standard database connection string, the agent raises a handled exception during parsing. (Ruby-1697)

When creating a stack trace for telemetry reporting, the agent pushes a potentially uninitialized instance variable. (Ruby-1694)

When the Contrast Service is not running, the agent queues up messages to send infinitely, creating a memory leak. (RUBY-1667)

Added support for Ruby 3.1.

Removed support for Ruby 2.6.

When reporting Stored XSS findings, the agent is omitting the database table and column of origin (Ruby-1548)

When running in an environment without Rails, the agent may cause a require error. (RUBY-1551)

When another dependency overrides the Kernel#exec method with a prepend, then the agent can cause an infinite loop. (RUBY-1246)

When the agent is installed in an environment running rspec-rails on a Ruby version less than 3.0.0, a collision with ActiveSupport::Concern breaks the ActiveSupport::Concern#included method. (Ruby-1500)

When attempting to write to the filesystem, if the directory is inaccessible, then an uncaught exception may cause a crash. (RUBY-1420)

Support for Puma web server.

Support for Thin web server.

Telemetry is now enabled in the Ruby agent in order to gather valuable data about the agent’s functionality. The data is all anonymous, no personal information is collected.

When a fork is called in a Rails application that has hooked ActiveSupport::ForkTracker, it conflicts between aliasing and prepending result in no superclass method \fork', causing the rails application to fail during agent start-up. (RUBY-1352)

When looking up cached strings prior to Ruby 2.7, cache collisions could cause the wrong representation to be reported. (RUBY-1325)

When determining if a closed stream should be copied, an IOError is raised. (RUBY-1318)

When the agent logs patching a class extending ActiveRecord model with has_and_belongs_to_many before c is determined, then table_name is permanently set to ''.(RUBY-1322)

Improved agent performance, reducing impact to instrumented application.

Support for Grape application framework.

When a Rake task was executed for an application instrumented with Contrast, an erroneous include prevented the loading of Contrast tasks. (RUBY-1247)

Improved runtime performance and round-trip time by optimizing dynamic components.

Added support for built-in sanitization and validation in the Rails and Sinatra Web Application Frameworks to improve vulnerability detection when Assess is enabled.

When a user tries to install the agent in an application requiring Parser 3.0 or later, then a dependency conflict prevents installation. (RUBY-1195)

Various updates are included in this release to improve memory usage and all around performance when Assess is enabled.

The agent now has improved stacktrace reporting.

Added []= Hash Equals key tracking for Ruby 3.0.

The Ruby Agent now reports its effective instrumentation mode.

The agent will now ignore methods for ActionDispatch::Http::URL.

Updated patching for :+ patching in Ruby 3.0.

Updated copyright to 2021.

When reading overrides for the mode of individual Protect rules from local configuration, a translation error prevented rules from enabling Blocking mode. (RUBY-1134)

When trying to startup a Rails application, an exception is thrown in ActionController::Railties::Helper::ClassMethods if it is missing the inherited method. (RUBY-1127)

The agent now determines Sinatra routes from Middleware#call instead of Sinatra::Base.

When the ReDos Assess rule is disabled, the vulnerability could still be reported. (RUBY-1113)

Upgraded the service for latest updates.

When rendering a template with ActionView, a patched method would cause issues in the rendering process. We removed this patching to solve this issue. (RUBY-1102)

Support for Ruby 2.5 will be deprecated in April 2021.

Modified String#split Assess dataflow analysis to improve performance of String tracking operations.

Added the ability to configure capturing Assess stack traces with assess.stacktraces.

The agent now does library discovery in a background thread to improve startup performance.

Modified dataflow tracking in Assess to short circuit sooner, avoiding the need to create intermediate objects when processing non-user input data.

The agent now ignores certain methods for dataflow in Rails to improve performance.

When a dataflow event occurs, a memory leak happens when we track data. We fixed the duplicated key stop the leak. (RUBY-1081)

Improved array.rb tracking performance when Assess is enabled.

Improved application context tracking performance when Assess is enabled.

Improved stability and accuracy of Assess and Protect rules

Added Assess propagation and tracking for MatchData#string.

The agent now reports enhanced library usage on startup and at the end of each request. After a request is received by the agent, we report new files loaded for an installed package.

Added configuration to disable library analysis.

Improved performance of scanning based rules like Hardcoded Key/Password.

Added WARN level logging if the configuration required to connect to the Contrast service is missing.

Added INFO level application identification logging.

Improved agent detection of hardcoded password/cryptographic key for non-literal hardcoded values.

Added support for Unicorn 4 and 5.

Improved Object tracking to account for frozen Objects.

Improved gemspec filtering to prevent precompiled files from being packaged in the gem.

Added warning if common config YAML contains invalid syntax when parsing.

Agent now logs full configuration state including ENV and YAML values.

Added logging for request start.

Added logging for request end.

Updated Unsafe File Upload detection to correctly handle auto-generaged Rack::Multipart tempfile.

Added support for Rails engine routes for route coverage.

Removed the Kernel#require tracker.

Refactored dataflow tracing to function along side of, rather than directly on, String instances, reducing pollution of existing name and method spaces.

Updated RuboCop compliance.

False positive in our usage of rack.session cookie in Sinatra applications (RUBY-959)

Updated Speedracer version to 2.9.5/20200723-1734.d8d4139 (RUBY-957)

Replaced google-protobuf with protobuf.

Improved logging to include Thread Id as well as Process Id.

Removed custom Contrast::InternalException in favor of common exception types to improve error handling.

The change of dependency from google-protobuf to protobuf, removes the need to execute the bundle config force_ruby_platform true command before installation.

In 2020, the cucumber project forked protobuf for their own use in a way that is incompatible with the main branch. As such, you cannot run any project using cucumber-messages above version 8.0.0 as it depends on the incompatible protobuf-cucumber.

Improved handling of logging to unwritable destinations.

Improved handling of propagation to children of the String class.

Improved handling of propagation through Regular Expression where the result of a match is nil.

Caching of settings to improve performance and reduce memory impact

Deprecation of CSRF Assess and Protect rules

Improved Stack Trace capturing

Improved library analysis performance leading to a decrease in first request penalty

The Agent now supports TRACE level logging. Those running with DEBUG logging should see a significant decrease in logged events

Enhanced module definition detection using TracePoint

This will be the last on-premises release bundled with a gem that supports Ruby 2.4.

It is recommended to use RubyGems at this point.