Ruby agent release notes

Release date: September 23, 2021

Language versions currently supported: 2.5 - 3.0

Bug fixes:

  • When determining if a closed stream should be copied, an IOError is raised. (RUBY-1318)

  • When the agent logs patching a class extending ActiveRecord model with has_and_belongs_to_many before c is determined, then table_name is permanently set to ''.(RUBY-1322)

Release date: August 26, 2021

Language versions currently supported: 2.5 - 3.0

New and improved:

  • Improved agent performance, reducing impact to instrumented application.

  • Support for Grape application framework.

Release date: July 15, 2021

Language versions currently supported: 2.5 - 3.0

Bug fixes:

  • When a Rake task was executed for an application instrumented with Contrast, an erroneous include prevented the loading of Contrast tasks. (RUBY-1247)

Release date: June 24, 2021

Language versions currently supported: 2.5 - 3.0

New and improved:

  • Improved runtime performance and round-trip time by optimizing dynamic components.

Release date: May 20, 2021

Language versions currently supported: 2.5 - 3.0

New and improved:

  • Added support for built-in sanitization and validation in the Rails and Sinatra Web Application Frameworks to improve vulnerability detection when Assess is enabled.

Release date: May 10, 2021

Language versions currently supported: 2.5 - 3.0

Bug Fixes:

  • When a user tries to install the agent in an application requiring Parser 3.0 or later, then a dependency conflict prevents installation. (RUBY-1195)

Release date: April 22, 2021

Language versions currently supported: 2.5 - 3.0

New and improved:

  • Various updates are included in this release to improve memory usage and all around performance when Assess is enabled.

Release date: March 25, 2021

Language versions currently supported: 2.5 - 2.7

New and improved:

  • The agent now has improved stacktrace reporting.

  • Added []= Hash Equals key tracking for Ruby 3.0.

  • The Ruby Agent now reports its effective instrumentation mode.

  • The agent will now ignore methods for ActionDispatch::Http::URL.

  • Updated patching for :+ patching in Ruby 3.0.

  • Updated copyright to 2021.

Bug fixes:

  • When reading overrides for the mode of individual Protect rules from local configuration, a translation error prevented rules from enabling Blocking mode. (RUBY-1134)

Release date: March 10, 2021

Language versions currently supported: 2.5 - 2.7

Bug fixes:

  • When trying to startup a Rails application, an exception is thrown in ActionController::Railties::Helper::ClassMethods if it is missing the inherited method. (RUBY-1127)

Release date: February 25, 2021

Language versions currently supported: 2.5 - 2.7

New and improved:

  • The agent now determines Sinatra routes from Middleware#call instead of Sinatra::Base.

Bug fixes:

  • When the ReDos Assess rule is disabled, the vulnerability could still be reported. (RUBY-1113)

Release date: February 12, 2021

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Upgraded the service for latest updates.

Release date: February 5, 2021

Language versions currently supported: 2.5 - 2.7

Bug fixes:

  • When rendering a template with ActionView, a patched method would cause issues in the rendering process. We removed this patching to solve this issue. (RUBY-1102)

Release date: January 29, 2021

Language versions currently supported: 2.5 - 2.7

Important note:

  • Support for Ruby 2.5 will be deprecated in April 2021.

New and improved:

  • Modified String#split Assess dataflow analysis to improve performance of String tracking operations.

  • Added the ability to configure capturing Assess stack traces with assess.stacktraces.

  • The agent now does library discovery in a background thread to improve startup performance.

  • Modified dataflow tracking in Assess to short circuit sooner, avoiding the need to create intermediate objects when processing non-user input data.

  • The agent now ignores certain methods for dataflow in Rails to improve performance.

Bug fixes:

  • When a dataflow event occurs, a memory leak happens when we track data. We fixed the duplicated key stop the leak. (RUBY-1081)

Release date: December 18, 2020

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Improved array.rb tracking performance when Assess is enabled.

  • Improved application context tracking performance when Assess is enabled.

Release date: November 20, 2020

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Improved stability and accuracy of Assess and Protect rules

Release date: November 5, 2020

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Added Assess propagation and tracking for MatchData#string.

  • The agent now reports enhanced library usage on startup and at the end of each request. After a request is received by the agent, we report new files loaded for an installed package.

  • Added configuration to disable library analysis.

  • Improved performance of scanning based rules like Hardcoded Key/Password.

Release date: October 23, 2020

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Added WARN level logging if the configuration required to connect to the Contrast service is missing.

  • Added INFO level application identification logging.

  • Improved agent detection of hardcoded password/cryptographic key for non-literal hardcoded values.

Release date: September 17, 2020

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Added support for Unicorn 4 and 5.

  • Improved Object tracking to account for frozen Objects.

  • Improved gemspec filtering to prevent precompiled files from being packaged in the gem.

  • Added warning if common config YAML contains invalid syntax when parsing.

  • Agent now logs full configuration state including ENV and YAML values.

Release date: August 24, 2020

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Added logging for request start.

  • Added logging for request end.

  • Updated Unsafe File Upload detection to correctly handle auto-generaged Rack::Multipart tempfile.

  • Added support for Rails engine routes for route coverage.

  • Removed the Kernel#require tracker.

  • Refactored dataflow tracing to function along side of, rather than directly on, String instances, reducing pollution of existing name and method spaces.

  • Updated RuboCop compliance.

Release date: July 29, 2020

Language versions currently supported: 2.5 - 2.7

Bug fixes:

  • False positive in our usage of rack.session cookie in Sinatra applications (RUBY-959)

Release date: July 24, 2020

Language versions currently supported: 2.5 - 2.7

New and improved:

  • Updated Speedracer version to 2.9.5/20200723-1734.d8d4139 (RUBY-957)

Language versions currently supported: 2.5-2.7

Agent versions released during the past month: 3.12.1, 3.12.2, 3.13.0

New and improved:

  • Replaced google-protobuf with protobuf.

  • Improved logging to include Thread Id as well as Process Id.

  • Removed custom Contrast::InternalException in favor of common exception types to improve error handling.

Important notes:

  • The change of dependency from google-protobuf to protobuf, removes the need to execute the bundle config force_ruby_platform true command before installation.

  • In 2020, the cucumber project forked protobuf for their own use in a way that is incompatible with the main branch. As such, you cannot run any project using cucumber-messages above version 8.0.0 as it depends on the incompatible protobuf-cucumber.

Bug fixes:

  • Improved handling of logging to unwritable destinations.

  • Improved handling of propagation to children of the String class.

  • Improved handling of propagation through Regular Expression where the result of a match is nil.

Language versions currently supported: 2.5-2.7

Agent versions released during the past month: 3.12.0

New and improved:

  • Caching of settings to improve performance and reduce memory impact

Important notes:

  • Deprecation of CSRF Assess and Protect rules

Language versions currently supported: 2.5 - 2.7

Agent versions released during the past month: 3.10.1, 3.10.2, 3.11.0

New and improved:

  • Improved Stack Trace capturing

  • Improved library analysis performance leading to a decrease in first request penalty

Important notes:

  • The Agent now supports TRACE level logging. Those running with DEBUG logging should see a significant decrease in logged events

Language versions currently supported: 2.4 - 2.7

Agent versions released during the past month: 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.9.0

New and improved:

  • Enhanced module definition detection using TracePoint

Important notes:

  • This will be the last on-premises release bundled with a gem that supports Ruby 2.4.

  • It is recommended to use RubyGems at this point.