Enable Server Messages to stay on top of agent updates. When your agent version is out of date, Contrast will send you an email with recommendations for updates. You can also check your notifications in the Contrast UI, or hover over the warning icon in the Servers grid and your server's Overview tab for a reminder. To enable Server Messages, go to the Notifications page from Your Account or Organization Settings.
Check back next release for more updates!
The .NET team improved the accuracy and performance of Protect Command Injection as well as the accuracy of Protect SQL-Injection and Reflected XSS. We implemented a Server Side Request Forgery (SSRF) rule for Assess. We also fixed a bug where the Tray would occasionally fail to update agent status.
The Node team focused on broadening framework support. We added support for the Koa framework as well as Route Coverage support for Koa for applications using
koa-router. We also added Route Coverage support for Hapi. We added
agent.heap_dump configuration settings to allow periodic creation of heap dumps for debugging v8 crashes and memory issues. Bug fixes included:
sequelize.queryno longer causes the sensor to fail
ast-typesmodule no longer crashes when loaded with Assess enabled
The Ruby team focused on expanding our feature offering for this release. We expanded our rule coverage to include support for several new Assess rules, with a focus on rules responsible for HTTP Session security evaluation. To improve our customer support, we also added the ability to generate heap dumps directly from the agent. Finally, to further our effort to improve our interoperability with other testing infrastructures, we've continued to transition our sensor weaving into C, and we've addressed bugs causing an incompatibility with the FactoryBot testing framework.
The Python team refactored our middleware code to work better with the range of frameworks we support, including older versions of Django. Improvements to agent startup eliminated some noisy trackback logs from configuration and Route Coverage. Bug fixes include the XXE rule with SAX incorrectly patching and improperly setting Django headers in responses.
The Java team improved the accuracy of Assess XSS, SQL injection rules as well as the accuracy of Protect command injection and SQL injection rules. We enabled Runtime Exploit Prevention (REP) by default for Protect users on SaaS and EOP. (You can also update the settings for individual REP rules in your agent's configuration file.) We also made the Java agent available on Maven Central. See the new documentation to learn more!
The .NET team fixed the following bugs:
The Node team worked to provide support for two new web frameworks: Beta support for Koa, the predecessor to Express, as well as full support for Hapi 18 (the latest version). The team also added instrumentation support for the Multer middleware module, which allows the agent to track and analyze untrusted data from multipart form bodies. We resolved a bug that caused the agent to report Assess false positives for PostgreSQL database queries. We added support for the application code configuration option, and removed deprecated configuration options. The agent supports the piping of log messages to /dev/null. We also worked on removing Node 6 support, which has entered EOL. To top it all off, this release includes various enhancements that provide both breadth and accuracy in our Assess data-flow propagators.
The Ruby team focused on improving performance of our Assess product. We refactored the way our Monkey Patching works to ensure namespace collisions no longer occur with existing methods, and updated lookups of these renamed methods to take advantage of better caching techniques. We also worked to isolate the processes in which the agent runs its instrumentation, which reduces impact to non-security related operations; this has improved our compatibility with common processes such as Rake and Sidekiq.
The latest version of the Python agent includes a collection of product quality updates. To improve stability and agent quality, the team identified different aspects of the agent that needed improvements and updated them. This also helped us identify any small errors that could have occurred in the future. We also fixed several small bugs, like accidentally patching twice for certain libraries and a scenario in which the agent may retry to initialize itself.
The Java team improved the accuracy of Protect command injection, SQL injection and XSS rules. We also fixed a bug where exclusions weren't applied for some Protect rules. We cleaned up and clarified the output of the agent’s diagnostic connection check, made minor improvements to agent startup time, and reduced redundant log messages.
The .NET team improved the accuracy of Assess path traversal as well as the performance of Assess data flow analysis. We fixed a bug where modifying the agent’s configuration file while the agent was running could cause an error in the agent’s background Windows service. We also reduced redundant log messages.
The Node team focused on developing a new implementation for performing data flow analysis and string tracking. The changes introduced, which leverage native C++ add-ons, improve both agent stability and the accuracy of Assess findings. The team also focused on improving the accuracy of reporting propagation through specific String and Array methods, such as slice and join. We made additional improvements to strengthen the agent's ability to detect hard-coded passwords. We added Assess support for DynamoDB. Additionally, the agent now recognizes the
CONTRAST_CONFIG_PATH environment variable, which you can use to specify the location of an agent’s configuration file.
The Ruby team focused on updating support to align with the LTS versions of the Ruby language. As a result, the supported range of Ruby for agent 2.3.0 and greater has changed to 2.3.0-2.6.X. We also updated dynamic patching to utilize C methods instead of standard Ruby aliasing, which preserves method scope. Both of these changes improve the overall performance and stability of the Ruby agent.
The Python agent team worked to improve our Pyramid and WSGI middlewares by refactoring response information. This includes Command Injection hardening for new lines and inline comments along with support for the PyYAML 5.1 release that broke a lot of open-source projects. We added better image response handling to remove a possible slow down or crash in the agent.
Check back next release!
The Java team improved memory usage of Assess analysis, reduced noise in data flow analysis against applications using logback, and added an Assess validator for the Spring framework. We fixed an issue in Assess data flow analysis involving unmodifiable lists as well as an issue where reporting of parameter names and values could be swapped under JaxRS applications.
The .NET team fixed race conditions when evaluating exclusions and capturing a stack trace, and improved performance of instrumentation. We also implemented Untrusted Deserialization for Protect covering all formatters with known exploits in the .NET Framework Base Class Library (BCL) as well as JSON.NET.
The Node team resolved an issue where the asar library was causing an
npm audit run to fail. We updated the NoSQL rule to catch a potential attack using the not equal operator. We also closed an issue where the agent couldn't be installed on a bare-bones Linux distribution due to a dependency of a dependency relying on the git executable being available.
The Ruby team has focused on performance and security updates in the Assess features of the agent. We moved Regex, Kernel and Enumerator patching from the Ruby code to the underlying C level. We updated the policy to be more conservative about patching ancestors of methods. We also added a check for port in use before starting the Contrast Service.
The Python agent team added support for the urllib3 and requests library for the SSRF Protect Rule. We made additional updates for performance and code stability in how Protect Rules are applied to sinks.
Check back next release!
The Java team improved accuracy of Protect SQL-Injection, XSS and Expression Language Injection rules, as well as the Assess SQL-Injection rule. We fixed several errors that don't affect analysis, but would cause noise within agent logs:
We also fixed an error that could occur under the Play framework, and reduced log severity when the agent can't determine the database type of a database architecture component. We added support for using
contrast namespace for command line and system property YAML configuration properties (e.g.,
Java 1.5 is no longer supported as of version 3.6.0 of the Java agent. The Java agent supports most Java runtimes for version 1.6 - 1.8. For a complete list of supported Java runtimes, see Supported Technologies.
The .NET team fixed an issue where the agent could cause an error when ASPX pages are used to generate CSS files.
The Node team released the last 1.x agent before we migrate to the new dataflow tracking technology in the 2.0 version of the agent, which we plan to release in February. The latest version of the agent has updates to prevent side effects in data flow through ternary statements as well as updates to the Syslog support.
The Ruby team added support for server names that contain non-UTF8 characters, and fixed a defect where the agent couldn't send activity messages when the path segment of the URI was nil. In Assess mode, the agent includes updates to better handle edge cases with frozen strings.
The Python team added support for Python 3.7. We added additional support for the metadata feature by sending metadata in the application startup message. The agent also includes support for a configuration to disable automatic startup of the service in environments where the service is being launched by and external runner.