Ruby agent release notes

When attempting to write to the filesystem, if the directory is inaccessible, then an uncaught exception may cause a crash. (RUBY-1420)

Support for Puma web server.

Support for Thin web server.

Telemetry is now enabled in the Ruby agent in order to gather valuable data about the agent’s functionality. The data is all anonymous, no personal information is collected.

When a fork is called in a Rails application that has hooked ActiveSupport::ForkTracker, it conflicts between aliasing and prepending result in no superclass method \fork', causing the rails application to fail during agent start-up. (RUBY-1352)

When looking up cached strings prior to Ruby 2.7, cache collisions could cause the wrong representation to be reported. (RUBY-1325)

When determining if a closed stream should be copied, an IOError is raised. (RUBY-1318)

When the agent logs patching a class extending ActiveRecord model with has_and_belongs_to_many before c is determined, then table_name is permanently set to ''.(RUBY-1322)

Improved agent performance, reducing impact to instrumented application.

Support for Grape application framework.

When a Rake task was executed for an application instrumented with Contrast, an erroneous include prevented the loading of Contrast tasks. (RUBY-1247)

Improved runtime performance and round-trip time by optimizing dynamic components.

Added support for built-in sanitization and validation in the Rails and Sinatra Web Application Frameworks to improve vulnerability detection when Assess is enabled.

When a user tries to install the agent in an application requiring Parser 3.0 or later, then a dependency conflict prevents installation. (RUBY-1195)

Various updates are included in this release to improve memory usage and all around performance when Assess is enabled.

The agent now has improved stacktrace reporting.

Added []= Hash Equals key tracking for Ruby 3.0.

The Ruby Agent now reports its effective instrumentation mode.

The agent will now ignore methods for ActionDispatch::Http::URL.

Updated patching for :+ patching in Ruby 3.0.

Updated copyright to 2021.

When reading overrides for the mode of individual Protect rules from local configuration, a translation error prevented rules from enabling Blocking mode. (RUBY-1134)

When trying to startup a Rails application, an exception is thrown in ActionController::Railties::Helper::ClassMethods if it is missing the inherited method. (RUBY-1127)

The agent now determines Sinatra routes from Middleware#call instead of Sinatra::Base.

When the ReDos Assess rule is disabled, the vulnerability could still be reported. (RUBY-1113)

Upgraded the service for latest updates.

When rendering a template with ActionView, a patched method would cause issues in the rendering process. We removed this patching to solve this issue. (RUBY-1102)

Support for Ruby 2.5 will be deprecated in April 2021.

Modified String#split Assess dataflow analysis to improve performance of String tracking operations.

Added the ability to configure capturing Assess stack traces with assess.stacktraces.

The agent now does library discovery in a background thread to improve startup performance.

Modified dataflow tracking in Assess to short circuit sooner, avoiding the need to create intermediate objects when processing non-user input data.

The agent now ignores certain methods for dataflow in Rails to improve performance.

When a dataflow event occurs, a memory leak happens when we track data. We fixed the duplicated key stop the leak. (RUBY-1081)

Improved array.rb tracking performance when Assess is enabled.

Improved application context tracking performance when Assess is enabled.

Improved stability and accuracy of Assess and Protect rules

Added Assess propagation and tracking for MatchData#string.

The agent now reports enhanced library usage on startup and at the end of each request. After a request is received by the agent, we report new files loaded for an installed package.

Added configuration to disable library analysis.

Improved performance of scanning based rules like Hardcoded Key/Password.

Added WARN level logging if the configuration required to connect to the Contrast service is missing.

Added INFO level application identification logging.

Improved agent detection of hardcoded password/cryptographic key for non-literal hardcoded values.

Added support for Unicorn 4 and 5.

Improved Object tracking to account for frozen Objects.

Improved gemspec filtering to prevent precompiled files from being packaged in the gem.

Added warning if common config YAML contains invalid syntax when parsing.

Agent now logs full configuration state including ENV and YAML values.

Added logging for request start.

Added logging for request end.

Updated Unsafe File Upload detection to correctly handle auto-generaged Rack::Multipart tempfile.

Added support for Rails engine routes for route coverage.

Removed the Kernel#require tracker.

Refactored dataflow tracing to function along side of, rather than directly on, String instances, reducing pollution of existing name and method spaces.

Updated RuboCop compliance.

False positive in our usage of rack.session cookie in Sinatra applications (RUBY-959)

Updated Speedracer version to 2.9.5/20200723-1734.d8d4139 (RUBY-957)

Replaced google-protobuf with protobuf.

Improved logging to include Thread Id as well as Process Id.

Removed custom Contrast::InternalException in favor of common exception types to improve error handling.

The change of dependency from google-protobuf to protobuf, removes the need to execute the bundle config force_ruby_platform true command before installation.

In 2020, the cucumber project forked protobuf for their own use in a way that is incompatible with the main branch. As such, you cannot run any project using cucumber-messages above version 8.0.0 as it depends on the incompatible protobuf-cucumber.

Improved handling of logging to unwritable destinations.

Improved handling of propagation to children of the String class.

Improved handling of propagation through Regular Expression where the result of a match is nil.

Caching of settings to improve performance and reduce memory impact

Deprecation of CSRF Assess and Protect rules

Improved Stack Trace capturing

Improved library analysis performance leading to a decrease in first request penalty

The Agent now supports TRACE level logging. Those running with DEBUG logging should see a significant decrease in logged events

Enhanced module definition detection using TracePoint

This will be the last on-premises release bundled with a gem that supports Ruby 2.4.

It is recommended to use RubyGems at this point.