Skip to main content

Ruby agent release notes

Release date: May 30, 2024

Language versions currently supported: 3.0 - 3.2

Bug fixes:

  • When comparing new findings to Contrast, then the wrong algorithm is used for response-based rules. (RUBY-2136)

  • When sending messages to Contrast, then failure to parse the response body may result in resending the message. (RUBY-2137)

Release date: April 11, 2024

Language versions currently supported: 3.0 - 3.2

New and improved:

  • Confirm shutdown response code is from Contrast, rather than networking issues, before disabling analysis.

  • Improved handling of route observation for unmapped routes in Rails when ActionController::RoutingError is raised.

Release date: October 6, 2023

Language versions currently supported: 3.0 - 3.2

New and improved:

  • Relaxed dependency requirements to allow for execution in environments with the 3.X version of Rack.

Release date: September 21, 2023

Language versions currently supported: 3.0 - 3.2

New and improved:

  • Ensured that the FrameworkManager was able to handle the Rails' ActionDispatch class to determine the discovered routes.

Bug fixes:

  • Fixed issue of a patch error was raised when running tests inside a docker container with RailsGoat. (RUBY-2117)

  • When sql-injection rule probes are reported to Contrast, then too many Attack Events are created and Secure logging is missing for the rule. (RUBY-2114)

Release date: September 12, 2023

Language versions currently supported: 3.0 - 3.2

New and improved:

  • Updated Effective Configuration to be parsable.

  • Removed deprecated attack timing feature from Protect.

  • Created sustainable Protect rule instances with local settings.

Bug fixes:

  • Fixed invalid preflight entry with no application name. (RUBY-2112)

Release date: August 9, 2023

Language versions currently supported: 3.0 - 3.2

Bug fixes:

  • When Protect rules settings are not locally set, then the Protect rules configurations received as responses from TS are not correctly updated. (RUBY-2105)

Release date: August 4, 2023

Language versions currently supported: 3.0 - 3.2

New and improved:

  • Implemented a way to mark any external request as untrusted and tag the response accordingly.

Bug fixes:

  • Resolved the NoMethodError: undefined method `pfamily' for nil:NilClass. (RUBY-2101)

  • When parsing configuration from ENV, some values were incorrectly mapped to corresponding settings. (RUBY-2091)

Release date: July 26, 2023

Language versions currently supported: 3.0 - 3.2

New and improved:

  • Only create a helper config when no settings are present.

  • Updated AgentLib gem to support Linux ARM64 and Alpine ARM64.

Bug fixes:

  • When preflight is reported, then there is no Session ID validation error. (RUBY-2074)

  • When no configuration file is located (or generated), and no ENV variables are set, then the Agent creates two log files. (RUBY-2097)

  • When CONTRAST__ASSESS__SAMPLING__ENABLE=TRUE is set, then the Contrast::Components::Sampling::Interface#enable is not set, and a NoMethodError error occurs. (RUBY-2096)

Release date: June 1, 2023

Language versions currently supported: 3.0 - 3.2

New and improved:

  • Updated Assess Policy for the new version of rails-html-sanitizer.

  • Restored Obfuscation for Telemetry Exceptions on username.

  • Normalize UUID in URI to improve vulnerability deduplication.

  • Allow for layered configuration according to the common order of precedence.

  • Investigated and improved SourceMethod performance.

Bug fixes:

  • When running on some versions of Mac with XCode, Clang linker may not find correct symbols due to incompatibility with Ruby itself. (RUBY-2079)

Release date: April 13, 2023

Language versions currently supported: 3.0 - 3.2

New and improved:

  • Added custom internal parsing in order to support non-standard JSON gem installs version 1.8+.

  • All sources of configuration are now included in the configuration report.

  • Improved logging with exceptions and exception reporting.

Release date: April 3, 2023

Language versions currently supported: 3.0 - 3.2

New and improved:

  • Ruby 2.7 EOL as of March 31, 2023, with agent version 6.15.3. Updated supported technologies.

  • Added warning for applications instrumented with Contrast when the application starts in a version of Ruby less than 3.0.0.

  • Implemented Sorbet for static and runtime checks.

  • Upgraded Vulneruby_Engine push images script.

Release date: March 8, 2023

Language versions currently supported: 2.7 - 3.1

Bug fixes:

  • When calculating finding uniqueness, URI is used even when a route signature is available. (RUBY-2025)

Release date: February 22, 2023

Language versions currently supported: 2.7 - 3.1

Bug fixes:

  • When running the rake task with the agent disabled and no configuration, a stack level too deep error occurs cycling between Agent's worker threads' connection initialization and telemetry logger. (RUBY-2027)

Release date: February 22, 2023

Language versions currently supported: 2.7 - 3.1

No updates

Release date: February 16, 2023

Language versions currently supported: 2.7 - 3.1

New and improved:

  • Cleaned the Protect rules by merging Contrast::Agent::Protect::Rule::BaseService with Contrast::Agent::Protect::Rule::Base class.

  • Updated contrast-agent-lib to v.1.1.1.

Release date: January 27, 2023

Language versions currently supported: 2.7 - 3.1

New and improved:

  • Autogenerate new stencil config file on agent's gem install.

Release date: January 20, 2023

Language versions currently supported: 2.7 - 3.1

New and improved:

  • Added Ruby 3.2.0 Support.

  • When Regexp timeout is set and Redos is enabled, then the agent checks the timeout set and warns if timeout is infinity.

  • Updated AgentLib project Gemspec to support any version of Ruby below 3.3.0.

Release date: January 11, 2023

Language versions currently supported: 2.7 - 3.1

New and improved:

  • Updated connection diagnostic to new specifications.

  • Refactored Contrast::Api::Communication::ConnectionStatus and Telemetry.

  • Added input exclusions to Protect.

Bug fixes:

  • When setting CONTRAST__SERVER__NAME environment variable, the application crashes. (RUBY-2014)

  • When error handling occurs in to_controlled_hash, required data is missing. (RUBY-1992)

  • When recording the last time settings were updated, the agent conflates Server update time with Application update time. (RUBY-1999)

  • When Rails/ActiveSupportAliases settings are used, a lack of warning from Rubocop is in place. (RUBY-2007)

Release date: November 9, 2022

Language versions currently supported: 2.7 - 3.1

Bug fixes:

  • When sending observed routes with empty signature or URL, TS auth error occurs. (RUBY-1983)

Release date: November 2, 2022

Language versions currently supported: 2.7 - 3.1

New and improved:

  • Updated protect security analysis to honor log levels set by the user in the Contrast web interface.

  • When the application starts, the Agent will begin polling Contrast for ServerFeatures.

  • When an event is reported to Contrast, then that data is validated before being sent.

  • Expanded NoSQLI triggers when Mongo::Collection is used.

Bug fixes:

  • Fixed Telemetry Sentry error where it was unable to connect to Contrast. (RUBY-1846)

Release date: October 7, 2022

Language versions currently supported: 2.7 - 3.1

New and improved:

  • Improved report deduplication to improve performance.

  • Tune reporting to improve performance.

Release date: September 12, 2022

Language versions currently supported: 2.7 - 3.1

New and improved:

  • Removed the Protobuf dependency.

  • Enhanced reporting capabilities for routes, libraries, and applications.

  • Enhanced and updated Protect rules.

Release date: August 31, 2022

Language versions currently supported: 2.7 - 3.1

New and improved:

  • Enabled URL and Input (Assess) exclusions.

Bug fixes:

  • Instrumented applications no longer return 502. (RUBY-1775)

Release date: August 4, 2022

Language versions currently supported: 2.7 - 3.1

Bug fixes:

  • When attempting to read custom configuration, some attributes are unable to be set. (RUBY-1785)

Release date: July 21, 2022

Language versions currently supported: 2.7 - 3.1

New and improved:

  • Update internal URL parsing to be more compatible with third-party APM monitoring of outbound connections to Contrast web interface.

Release date: July 19, 2022

Language versions currently supported: 2.7 - 3.1

Bug fixes:

  • When reading database configuration objects such as ActiveRecord::DatabaseConfigurations::HashConfig, the agent may be unable to properly parse connection settings.

Release date: July 15, 2022

Language versions currently supported: 2.7 - 3.1

Bug fixes:

  • When parsing a SQL statement in MySQL, the Agent may incorrectly identify a boundary overrun resulting in an improper attack evaluation. (RUBY-1770)

Release date: July 14, 2022

Language versions currently supported: 2.7 - 3.1

Bug fixes:

  • When running in trace mode, a dynamically generated method wrapper may conflict with other middleware. (RUBY-1760)

Release date: July 13, 2022

Language versions currently supported: 2.7 - 3.1

Bug fixes:

  • When redirecting through OmniAuth, the Agent incorrectly reports a security vulnerability. (RUBY-1758)

Release date: July 1, 2022

Language versions currently supported: 2.7 - 3.1

Bug fixes:

  • When `ActiveRecord::StatementCache::BindMap#execute` is used, the agent incorrectly flags the query executed as unsafe.

Archive

Release date: June 29, 2022

Language versions currently supported: 2.7 - 3.1

New and improved:

  • Update to our internal policies and corresponding policy tests.

  • Performance improvements from bug fixes: Ruby-1740, Ruby-1742.

Bug fixes:

  • When we try to extract routes from ActionDispatch::Routing::RouteSet::Dispatcher, an exception that may cause CPU spikes or server outages occurs. (RUBY-1737)

  • When contrast_post_patch was being called twice during applying patches, it caused performance issues and other various bugs. (Ruby-1740)

  • When calling to_sym on a string, the propagation breaks. (Ruby-1741)

  • When evaluating Assess rule violation, sometimes multiple events were created. (Ruby-1742)

  • When the Ruby Agent has large memory usage, it crashes since PROPERTIES_HASH is not getting cleaned up. (Ruby-1747)

Release date: June 9, 2022

Language versions currently supported: 2.7 - 3.1

Bug fixes:

  • When added to an application with google-protobuf, a namespace collision prevents installation. (RUBY-1736)

Release date: June 6, 2022

Language versions currently supported: 2.7 - 3.1

Release date: May 27, 2022

Language versions currently supported: 2.7 - 3.1

New and improved:

  • Telemetry exceptions - production issues from live customer environments will be reported to our servers to help remediate bugs.

  • New diagnostic executable to help troubleshoot settings, connectivity, and configuration lookup.

Bug fixes:

  • When multiple exceptions are queued for reporting, translating them to JSON may cause the agent to bloat application memory usage. (RUBY-1698)

  • When body of type Rack::Files or Rack::Files::Iterator is passed, the agent is not able to handle that body type and throws an error. (RUBY-1710)

Release date: May 12, 2022

Language versions currently supported: 2.7 - 3.1

Bug fixes:

  • When given a non-standard database connection string, the agent raises a handled exception during parsing. (Ruby-1697)

Release date: May 12, 2022

Language versions currently supported: 2.7 - 3.1

Bug fixes:

  • When creating a stack trace for telemetry reporting, the agent pushes a potentially uninitialized instance variable. (Ruby-1694)

Release date: May 5, 2022

Language versions currently supported: 2.7 - 3.1

Bug fixes:

  • When the Contrast Service is not running, the agent queues up messages to send infinitely, creating a memory leak. (RUBY-1667)

Release date: April 4, 2022

Language versions currently supported: 2.7 - 3.1

New and improved:

  • Added support for Ruby 3.1.

  • Removed support for Ruby 2.6.

Bug fixes:

  • When reporting Stored XSS findings, the agent is omitting the database table and column of origin (Ruby-1548)

Release date: March 3, 2022

Language versions currently supported: 2.6 - 3.0

Bug fixes:

  • When running in an environment without Rails, the agent may cause a require error. (RUBY-1551)

Release date: February 28, 2022

Language versions currently supported: 2.6 - 3.0

Bug fixes:

  • When another dependency overrides the Kernel#exec method with a prepend, then the agent can cause an infinite loop. (RUBY-1246)

Release date: January 24, 2022

Language versions currently supported: 2.6 - 3.0

Bug fixes:

  • When the agent is installed in an environment running rspec-rails on a Ruby version less than 3.0.0, a collision with ActiveSupport::Concern breaks the ActiveSupport::Concern#included method. (Ruby-1500)

Release date: January 6, 2022

Language versions currently supported: 2.6 - 3.0

Note

Ruby 2.5 is no longer supported after the Ruby agent 4.14.1.

Release date: December 20, 2021

Language versions currently supported: 2.5 - 3.0

Note

Ruby 2.5 is no longer supported after the Ruby agent 4.14.1.

Release date: December 7, 2021

Language versions currently supported: 2.5 - 3.0

Release date: November 19, 2021

Language versions currently supported: 2.5 - 3.0

Bug fixes:

  • When attempting to write to the filesystem, if the directory is inaccessible, then an uncaught exception may cause a crash. (RUBY-1420)

Release date: November 11, 2021

Language versions currently supported: 2.5 - 3.0

New and improved:

  • Support for Puma web server.

  • Support for Thin web server.

  • Telemetry is now enabled in the Ruby agent in order to gather valuable data about the agent’s functionality. The data is all anonymous, no personal information is collected.

Release date: October 14, 2021

Language versions currently supported: 2.5 - 3.0

Bug fixes:

  • When a fork is called in a Rails application that has hooked ActiveSupport::ForkTracker, it conflicts between aliasing and prepending result in no superclass method \fork', causing the rails application to fail during agent start-up. (RUBY-1352)

  • When looking up cached strings prior to Ruby 2.7, cache collisions could cause the wrong representation to be reported. (RUBY-1325)

Release date: September 23, 2021

Language versions currently supported: 2.5 - 3.0

Bug fixes:

  • When determining if a closed stream should be copied, an IOError is raised. (RUBY-1318)

  • When the agent logs patching a class extending ActiveRecord model with has_and_belongs_to_many before c is determined, then table_name is permanently set to ''.(RUBY-1322)

Release date: August 26, 2021

Language versions currently supported: 2.5 - 3.0

New and improved:

  • Improved agent performance, reducing impact to instrumented application.

  • Support for Grape application framework.

Release date: July 15, 2021

Language versions currently supported: 2.5 - 3.0

Bug fixes:

  • When a Rake task was executed for an application instrumented with Contrast, an erroneous include prevented the loading of Contrast tasks. (RUBY-1247)

Release date: June 24, 2021

Language versions currently supported: 2.5 - 3.0

New and improved:

  • Improved runtime performance and round-trip time by optimizing dynamic components.

Release date: May 20, 2021

Language versions currently supported: 2.5 - 3.0

New and improved:

  • Added support for built-in sanitization and validation in the Rails and Sinatra Web Application Frameworks to improve vulnerability detection when Assess is enabled.

Release date: May 10, 2021

Language versions currently supported: 2.5 - 3.0

Bug Fixes:

  • When a user tries to install the agent in an application requiring Parser 3.0 or later, then a dependency conflict prevents installation. (RUBY-1195)

Release date: April 22, 2021

Language versions currently supported: 2.5 - 3.0

New and improved:

  • Various updates are included in this release to improve memory usage and all around performance when Assess is enabled.

Release date: March 25, 2021

Language versions currently supported: 2.5 - 2.7

New and improved:

  • The agent now has improved stacktrace reporting.

  • Added []= Hash Equals key tracking for Ruby 3.0.

  • The Ruby Agent now reports its effective instrumentation mode.

  • The agent will now ignore methods for ActionDispatch::Http::URL.

  • Updated patching for :+ patching in Ruby 3.0.

  • Updated copyright to 2021.

Bug fixes:

  • When reading overrides for the mode of individual Protect rules from local configuration, a translation error prevented rules from enabling Blocking mode. (RUBY-1134)

Release date: March 10, 2021

Language versions currently supported: 2.5 - 2.7

Bug fixes:

  • When trying to startup a Rails application, an exception is thrown in ActionController::Railties::Helper::ClassMethods if it is missing the inherited method. (RUBY-1127)

Release date: February 25, 2021

Language versions currently supported: 2.5 - 2.7

New and improved:

  • The agent now determines Sinatra routes from Middleware#call instead of Sinatra::Base.

Bug fixes:

  • When the ReDos Assess rule is disabled, the vulnerability could still be reported. (RUBY-1113)

Release date: February 12, 2021

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Upgraded the service for latest updates.

Release date: February 5, 2021

Language versions currently supported: 2.5 - 2.7

Bug fixes:

  • When rendering a template with ActionView, a patched method would cause issues in the rendering process. We removed this patching to solve this issue. (RUBY-1102)

Release date: January 29, 2021

Language versions currently supported: 2.5 - 2.7

Important note:

  • Support for Ruby 2.5 will be deprecated in April 2021.

New features and improvements:

  • Modified String#split Assess dataflow analysis to improve performance of String tracking operations.

  • Added the ability to configure capturing Assess stack traces with assess.stacktraces.

  • The agent now does library discovery in a background thread to improve startup performance.

  • Modified dataflow tracking in Assess to short circuit sooner, avoiding the need to create intermediate objects when processing non-user input data.

  • The agent now ignores certain methods for dataflow in Rails to improve performance.

Bug fixes:

  • When a dataflow event occurs, a memory leak happens when we track data. We fixed the duplicated key stop the leak. (RUBY-1081)

Release date: December 18, 2020

Language versions currently supported: 2.5 - 2.7

New features and improvements:

  • Improved array.rb tracking performance when Assess is enabled.

  • Improved application context tracking performance when Assess is enabled.

Release date: November 20, 2020

Language versions currently supported: 2.5 - 2.7

New features and improvements:

  • Improved stability and accuracy of Assess and Protect rules

Release date: November 5, 2020

Language versions currently supported: 2.5 - 2.7

New features and improvements:

  • Added Assess propagation and tracking for MatchData#string.

  • The agent now reports enhanced library usage on startup and at the end of each request. After a request is received by the agent, we report new files loaded for an installed package.

  • Added configuration to disable library analysis.

  • Improved performance of scanning based rules like Hardcoded Key/Password.

Release date: October 23, 2020

Language versions currently supported: 2.5 - 2.7

New features and improvements:

  • Added WARN level logging if the configuration required to connect to the Contrast service is missing.

  • Added INFO level application identification logging.

  • Improved agent detection of hardcoded password/cryptographic key for non-literal hardcoded values.

Release date: September 17, 2020

Language versions currently supported: 2.5 - 2.7

New features and improvements:

  • Added support for Unicorn 4 and 5.

  • Improved Object tracking to account for frozen Objects.

  • Improved gemspec filtering to prevent precompiled files from being packaged in the gem.

  • Added warning if common config YAML contains invalid syntax when parsing.

  • Agent now logs full configuration state including ENV and YAML values.

Release date: August 24, 2020

Language versions currently supported: 2.5 - 2.7

New features and improvements:

  • Added logging for request start.

  • Added logging for request end.

  • Updated Unsafe File Upload detection to correctly handle auto-generaged Rack::Multipart tempfile.

  • Added support for Rails engine routes for route coverage.

  • Removed the Kernel#require tracker.

  • Refactored dataflow tracing to function along side of, rather than directly on, String instances, reducing pollution of existing name and method spaces.

  • Updated RuboCop compliance.

Release date: July 29, 2020

Language versions currently supported: 2.5 - 2.7

Bug fixes:

  • False positive in our usage of rack.session cookie in Sinatra applications (RUBY-959)

Release date: July 24, 2020

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Updated Speedracer version to 2.9.5/20200723-1734.d8d4139 (RUBY-957)

Language versions currently supported: 2.5-2.7

Agent versions released during the past month: 3.12.1, 3.12.2, 3.13.0

New features and improvements:

  • Replaced google-protobuf with protobuf.

  • Improved logging to include Thread Id as well as Process Id.

  • Removed custom Contrast::InternalException in favor of common exception types to improve error handling.

Important notes:

  • The change of dependency from google-protobuf to protobuf, removes the need to execute the bundle config force_ruby_platform true command before installation.

  • In 2020, the cucumber project forked protobuf for their own use in a way that is incompatible with the main branch. As such, you cannot run any project using cucumber-messages above version 8.0.0 as it depends on the incompatible protobuf-cucumber.

Bug fixes:

  • Improved handling of logging to unwritable destinations.

  • Improved handling of propagation to children of the String class.

  • Improved handling of propagation through Regular Expression where the result of a match is nil.

Language versions currently supported: 2.5-2.7

Agent versions released during the past month: 3.12.0

New features and improvements:

  • Caching of settings to improve performance and reduce memory impact

Important notes:

  • Deprecation of CSRF Assess and Protect rules

Language versions currently supported: 2.5 - 2.7

Agent versions released during the past month: 3.10.1, 3.10.2, 3.11.0

New features and improvements:

  • Improved Stack Trace capturing

  • Improved library analysis performance leading to a decrease in first request penalty

Important notes:

  • The Agent now supports TRACE level logging. Those running with DEBUG logging should see a significant decrease in logged events

Language versions currently supported: 2.4 - 2.7

Agent versions released during the past month: 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.9.0

New features and improvements:

  • Enhanced module definition detection using TracePoint

Important notes:

  • This will be the last on-premises release bundled with a gem that supports Ruby 2.4.

  • It is recommended to use RubyGems at this point.