Ruby agent release notes
Release date: November 19, 2021
Language versions currently supported: 2.5 - 3.0
Bug fixes:
When attempting to write to the filesystem, if the directory is inaccessible, then an uncaught exception may cause a crash. (RUBY-1420)
Release date: November 11, 2021
Language versions currently supported: 2.5 - 3.0
New and improved:
Support for Puma web server.
Support for Thin web server.
Telemetry is now enabled in the Ruby agent in order to gather valuable data about the agent’s functionality. The data is all anonymous, no personal information is collected.
Release date: October 14, 2021
Language versions currently supported: 2.5 - 3.0
Bug fixes:
When a fork is called in a Rails application that has hooked ActiveSupport::ForkTracker, it conflicts between aliasing and prepending result in
no superclass method \
fork', causing the rails application to fail during agent start-up. (RUBY-1352)When looking up cached strings prior to Ruby 2.7, cache collisions could cause the wrong representation to be reported. (RUBY-1325)
Release date: September 23, 2021
Language versions currently supported: 2.5 - 3.0
Bug fixes:
When determining if a closed stream should be copied, an IOError is raised. (RUBY-1318)
When the agent logs patching a class extending
ActiveRecord
model withhas_and_belongs_to_many
before cis determined, then
table_name
is permanently set to''
.(RUBY-1322)
Release date: August 26, 2021
Language versions currently supported: 2.5 - 3.0
New and improved:
Improved agent performance, reducing impact to instrumented application.
Support for Grape application framework.
Release date: July 15, 2021
Language versions currently supported: 2.5 - 3.0
Bug fixes:
When a Rake task was executed for an application instrumented with Contrast, an erroneous include prevented the loading of Contrast tasks. (RUBY-1247)
Release date: June 24, 2021
Language versions currently supported: 2.5 - 3.0
New and improved:
Improved runtime performance and round-trip time by optimizing dynamic components.
Release date: May 20, 2021
Language versions currently supported: 2.5 - 3.0
New and improved:
Added support for built-in sanitization and validation in the Rails and Sinatra Web Application Frameworks to improve vulnerability detection when Assess is enabled.
Release date: May 10, 2021
Language versions currently supported: 2.5 - 3.0
Bug Fixes:
When a user tries to install the agent in an application requiring Parser 3.0 or later, then a dependency conflict prevents installation. (RUBY-1195)
Release date: April 22, 2021
Language versions currently supported: 2.5 - 3.0
New and improved:
Various updates are included in this release to improve memory usage and all around performance when Assess is enabled.
Release date: March 25, 2021
Language versions currently supported: 2.5 - 2.7
New and improved:
The agent now has improved stacktrace reporting.
Added
[]= Hash Equals
key tracking for Ruby 3.0.The Ruby Agent now reports its effective instrumentation mode.
The agent will now ignore methods for
ActionDispatch::Http::URL
.Updated patching for
:+
patching in Ruby 3.0.Updated copyright to 2021.
Bug fixes:
When reading overrides for the mode of individual Protect rules from local configuration, a translation error prevented rules from enabling Blocking mode. (RUBY-1134)
Release date: March 10, 2021
Language versions currently supported: 2.5 - 2.7
Bug fixes:
When trying to startup a Rails application, an exception is thrown in
ActionController::Railties::Helper::ClassMethods
if it is missing the inherited method. (RUBY-1127)
Release date: February 25, 2021
Language versions currently supported: 2.5 - 2.7
New and improved:
The agent now determines Sinatra routes from
Middleware#call
instead ofSinatra::Base
.
Bug fixes:
When the ReDos Assess rule is disabled, the vulnerability could still be reported. (RUBY-1113)
Release date: February 12, 2021
Language versions currently supported: 2.5 - 2.7
New and improved:
Upgraded the service for latest updates.
Release date: February 5, 2021
Language versions currently supported: 2.5 - 2.7
Bug fixes:
When rendering a template with
ActionView
, a patched method would cause issues in the rendering process. We removed this patching to solve this issue. (RUBY-1102)
Release date: January 29, 2021
Language versions currently supported: 2.5 - 2.7
Important note:
Support for Ruby 2.5 will be deprecated in April 2021.
New and improved:
Modified
String#split
Assess dataflow analysis to improve performance of String tracking operations.Added the ability to configure capturing Assess stack traces with
assess.stacktraces
.The agent now does library discovery in a background thread to improve startup performance.
Modified dataflow tracking in Assess to short circuit sooner, avoiding the need to create intermediate objects when processing non-user input data.
The agent now ignores certain methods for dataflow in Rails to improve performance.
Bug fixes:
When a dataflow event occurs, a memory leak happens when we track data. We fixed the duplicated key stop the leak. (RUBY-1081)
Release date: December 18, 2020
Language versions currently supported: 2.5 - 2.7
New and improved:
Improved
array.rb
tracking performance when Assess is enabled.Improved application context tracking performance when Assess is enabled.
Release date: November 20, 2020
Language versions currently supported: 2.5 - 2.7
New and improved:
Improved stability and accuracy of Assess and Protect rules
Release date: November 5, 2020
Language versions currently supported: 2.5 - 2.7
New and improved:
Added Assess propagation and tracking for
MatchData#string
.The agent now reports enhanced library usage on startup and at the end of each request. After a request is received by the agent, we report new files loaded for an installed package.
Added configuration to disable library analysis.
Improved performance of scanning based rules like Hardcoded Key/Password.
Release date: October 23, 2020
Language versions currently supported: 2.5 - 2.7
New and improved:
Added WARN level logging if the configuration required to connect to the Contrast service is missing.
Added INFO level application identification logging.
Improved agent detection of hardcoded password/cryptographic key for non-literal hardcoded values.
Release date: September 17, 2020
Language versions currently supported: 2.5 - 2.7
New and improved:
Added support for Unicorn 4 and 5.
Improved Object tracking to account for frozen Objects.
Improved gemspec filtering to prevent precompiled files from being packaged in the gem.
Added warning if common config YAML contains invalid syntax when parsing.
Agent now logs full configuration state including ENV and YAML values.
Release date: August 24, 2020
Language versions currently supported: 2.5 - 2.7
New and improved:
Added logging for request start.
Added logging for request end.
Updated Unsafe File Upload detection to correctly handle auto-generaged
Rack::Multipart tempfile
.Added support for Rails engine routes for route coverage.
Removed the
Kernel#require
tracker.Refactored dataflow tracing to function along side of, rather than directly on, String instances, reducing pollution of existing name and method spaces.
Updated
RuboCop
compliance.
Release date: July 29, 2020
Language versions currently supported: 2.5 - 2.7
Bug fixes:
False positive in our usage of
rack.session
cookie in Sinatra applications (RUBY-959)
Release date: July 24, 2020
Language versions currently supported: 2.5 - 2.7
New and improved:
Updated Speedracer version to
2.9.5/20200723-1734.d8d4139
(RUBY-957)
Language versions currently supported: 2.5-2.7
Agent versions released during the past month: 3.12.1, 3.12.2, 3.13.0
New and improved:
Replaced google-protobuf with protobuf.
Improved logging to include
Thread Id
as well asProcess Id
.Removed custom
Contrast::InternalException
in favor of common exception types to improve error handling.
Important notes:
The change of dependency from google-protobuf to protobuf, removes the need to execute the
bundle config force_ruby_platform true
command before installation.In 2020, the cucumber project forked protobuf for their own use in a way that is incompatible with the main branch. As such, you cannot run any project using cucumber-messages above version 8.0.0 as it depends on the incompatible protobuf-cucumber.
Bug fixes:
Improved handling of logging to unwritable destinations.
Improved handling of propagation to children of the String class.
Improved handling of propagation through Regular Expression where the result of a match is
nil
.
Language versions currently supported: 2.5-2.7
Agent versions released during the past month: 3.12.0
New and improved:
Caching of settings to improve performance and reduce memory impact
Important notes:
Deprecation of CSRF Assess and Protect rules
Language versions currently supported: 2.5 - 2.7
Agent versions released during the past month: 3.10.1, 3.10.2, 3.11.0
New and improved:
Improved Stack Trace capturing
Improved library analysis performance leading to a decrease in first request penalty
Important notes:
The Agent now supports TRACE level logging. Those running with DEBUG logging should see a significant decrease in logged events
Language versions currently supported: 2.4 - 2.7
Agent versions released during the past month: 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.9.0
New and improved:
Enhanced module definition detection using TracePoint
Important notes:
This will be the last on-premises release bundled with a gem that supports Ruby 2.4.
It is recommended to use RubyGems at this point.