Python microagent release notes

---

[1.27.2] 2021-07-21

• Retain Datadog traces bound to Sqreen events.

[1.27.1] 2021-05-12

• Fix coroutine instrumentation on Python 3.8 and newer.

[1.27.0] 2021-04-06

• Falcon framework support.
• ddtrace integration.
• Fix static rules loading several times.

[1.26.2] 2021-03-11

• Fix In-App WAF testing rules running more than once.

[1.26.1] 2021-03-11

• Raise the amount of time the agent waits for instrumentation to 10s.
• Update log messages.
• Fix an aiohttp issue with the In-App WAF.

[1.26.0] 2021-02-23

• Instrument some frameworks earlier in the startup process.
• Report framework endpoints in HTTP traces.
• Fix the WSGI middleware that was preventing headers mutation.
• Fix a float convertion issue on Python 2.
• Fix a unicode issue on Python 2.

[1.25.2] 2020-12-09

• Fix a Python 2 import regression.
• Set the HTML Content-Type for Sqreen error pages.

[1.25.1] 2020-11-18

• Suppress warning on Sentry SDK configuration.

[1.25.0] 2020-11-09

• Support for Django in ASGI mode.
• Silent Sqreen logging records in Sentry SDK.
• Overall instrumentation improvements.

[1.24.0] 2020-10-15

• New In-App WAF filtering primitives.
• Support for Python 3.9.
• Support for the collect_body option in track SDK calls.
• Fix for applications mutating the HTTP request parameters.

[1.23.0] 2020-08-17

• Introduced tracing for AMQP and Kafka.
• Use the dyno name as agent hostname on Heroku.
• Improved psycopg2 instrumentation.
• Deprecate PROXY_URL and recommend HTTP_PROXY configuration variable.
• Support case sensitiveness in PII key sanitization.

[1.22.0] 2020-08-04

• Introduced tracing for databases and message brokers.

[1.21.3] 2020-07-22

• Fix support for Flask's request.stream.

[1.21.2] 2020-07-17

• Fix an HTTP client tracing compatibility issue on Python 3.5.

[1.21.1] 2020-07-09

• Fix a regression with SQLalchemy due to a DBApi2 deviation.

[1.21.0] 2020-07-07

• New blocking page design.
• Introduced tracing for HTTP services.
• Detect backend connectivity and use the sqreen.com domain when possible.
• yes, y, true and 1 are now the only valid booleans in the configuration.
• Fix possible wrong unicode decoding in Python 2.7.
• Several performance improvements.

[1.20.3] 2020-07-03

• Fix a performance issue in the request tracing.
• Fix permissions of the log file.
• Upgrade PyMiniRacer to 0.3.0.

[1.20.2] 2020-06-11

• Improve the performance for pages using intensively the protections.

[1.20.1] 2020-06-10

• Add support for latest versions of aiohttp (from 3.2 to 3.6).

[1.20.0] 2020-05-25

• Beta XXE protection.
• Improve user monitoring SDK call performance.
• Fix a race condition in the security response store.

[1.19.0] 2020-03-26

• Introduce static typing analysis support.
• Improved frameworks integration.
• Improved PII scrubbing (partial match support).
• Introduce the STRIP_HTTP_REFERER configuration option.
• Optimized instrumentation using the native wrapt extension.
• Better integration with NewRelic.
• Fix reconnection when the backend invalidates the session.

[1.18.2] 2020-03-06

• Rollback changes expected for a future release.

[1.18.1] 2020-03-05

• Improved support for Flask-API.
• Improved PII scrubbing.

[1.18.0] 2020-02-03

• Add support for the Pylons framework.
• Fix an issue preventing the Sqreen error page to appear on Django 404 pages.
• Introduce a new WSGI instrumentation strategy.
• Improve arguments passing for instrumented functions.
• Make use of the vendorized wrapt module for instrumentation.
• Bump vendorized ipaddress module to fix a SyntaxWarning.
• Add support for JS garbage collection from the PyMiniRacer module.

[1.17.1] 2019-12-26

• Avoid sending an unexpected field in user monitoring

[1.17.0] 2019-12-16

• Introduce a performance budget.
• Better startup error reporting.
• Multiple In-App WAF reliability and performance improvements.
• Fix an inconsistency in Security Responses enforcement.
• Support for Python 3.8.

[1.16.1] 2019-10-10

• Improve the In-App WAF error reporting.
• Better support for unicode in HTTP request headers.

[1.16.0] 2019-09-24

• Introduce support for the In-App WAF.

[1.15.3] 2019-09-06

• Improve rule signature verification.

[1.15.2] 2019-08-27

• Introduce Performance Monitoring.
• Fix an issue impacting the import of modules.
• Improve the reliability of some protections.

[1.15.1] 2019-06-24

• Improve HTTP request headers decoding.
• Fix an issue preventing backtraces from being reported with security events.
• Fix an issue that could lead to unexpected events being reported when an IP is blocked.

[1.15.0] 2019-06-06

• Add support for user redirection security response.
• Provide more information about HTTP response in events.
• Improve performance for some protection mecanisms.
• Fix an issue with Django authentication events.
• Fix an issue that might prevent the agent from starting in forking servers.

[1.14.6] 2019-05-06

• Reduce the maximum startup time of the agent

[1.14.5] 2019-03-26

• Fix a regression from 1.14.4 where starting the agent without a token would take longer

[1.14.4] 2019-03-20

• Improve the agent behaviour when the backend is experiencing difficulties
• Make the PII scrubbing configurable through environment variables
• Fix an issue that could result in some blocked IP not working as expected
• Fix an issue that might cause exceptions within the agent, causing performance issues

[1.14.3] 2019-02-25

• Fix a parsing issue on some Azure headers

[1.14.2] 2019-01-23

• Send out more data when blocking a user agent

[1.14.1] 2019-01-23

• Provide more data about some blocking events

[1.14.0] 2018-12-20

• Fix memory leaks
• Reduce memory usage

[1.13.5] 2018-12-06

• Improve the performance of blocking/redirecting IPs

[1.13.4] 2018-10-23

• Fix enconding issues with Python2

[1.13.3] 2018-07-10

• Strip sensitive data before sending them to the BackEnd

[1.13.2] 2018-07-03

• Fix the IP denylist for request without IP

[1.13.1] 2018-06-15

• Arguments passed to SDK track function are no longer modified in-place.
• Update vendored libraries.

[1.13.0] 2018-06-11

• Add support for block user security response.
• Update security responses format.

[1.12.8] 2018-05-30

• Improve agent behavior when receiving invalid security plugin signatures.

[1.12.7] 2018-05-28

• Fix a potential deadlock at startup with Django on Python 2.
• Do not escape Django messages to protect against XSS.
• Update vendored dependencies.

[1.12.6] 2018-05-24

• Update security plugin signature validation algorithm.
• Improve agent behavior when receiving invalid security plugin signatures.

[1.12.5] 2018-05-22

• Add support for Python 3.7.
• Update security responses format.

[1.12.4] 2018-05-21

• Fix IP redirection security response behavior.
• Fix security responses compatibility with Django 2.0.

[1.12.3] 2018-05-17

• Improve management of HTTP timeouts when Sqreen backend is not reachable.
• Do not run the agent within Pyramid shell.
• Update security responses format.

[1.12.2] 2018-05-15

• Fix communication recovery when Sqreen backend is not reachable for a while (e.g. network outage).
• Fix security responses parsing.

[1.12.1] 2018-05-04

• Improve security responses behavior during actions reload.

[1.12] 2018-05-03

• Add compatibility for Flask 1.x.
• Improve security responses behavior.

[1.11.3] 2018-04-24

• Log and filter out invalid options key in SDK track events.
• Add request information to SDK track events.
• Update vendored libraries.

[1.11.2] 2018-04-23

• Fix metrics aggregation on SDK track events.

[1.11.1] 2018-04-20

• Fix HTTP code metrics on aiohttp.

[1.11.0] 2018-04-19

• Add support for SDK track function.

[1.10.0] 2018-04-12

• Add support for custom IP headers.
• Update vendored libraries.

[1.9.0] 2018-04-03

• Add support for aiohttp 3.0 and 3.1.

[1.8.7] 2018-03-22

• Fix user-agent matching.
• Fix a memory leak in JS rules execution.

[1.8.6] 2018-02-28

• Fix disabled instrumentation with New Relic on Heroku.

[1.8.5] 2018-02-06

• Fix HTTP code metrics on blocked attacks.

[1.8.4] 2018-02-01

• Process preloaded Django messages.

[1.8.3] 2018-01-29

• Don't consume Django messages when analyzing them.
• Avoid crashing on non-string Django messages.

[1.8.2] 2018-01-26

• Protect against malicious cookies payloads.

[1.8.1] 2018-01-17

• Fix behavior of request recording.

[1.8.0] 2018-01-11

• Add support for Django 2.0.
• Add new SDK method identify.
• Update vendored libraries.

[1.7.2] 2017-12-21

• Don't trigger DATA_UPLOAD_MAX_MEMORY_SIZE with Django Rest Framework.

[1.7.1] 2017-12-13

• Support for aiohttp 2.2.
• Improve IP address detection.

[1.7.0] 2017-12-04

• Beta support for aiohttp.

[1.6.0] 2017-11-23

• Smaller communication payloads.
• Updated error page.
• Updated user agent.

[1.5.8] 2017-10-27

• Fix passlist behavior on Gunicorn socket mode.
• Fix authentication behavior when no request was recorded.

[1.5.7] 2017-10-23

• Improve performances on long parameters.
• Fix behavior on missing hookpoints.

[1.5.6] 2017-10-18

• Don't crash when exiting uWSGI 2.0.15.

[1.5.5] 2017-10-16

• Upgrade vendored dependencies.
• Improve IP address detection.
• Fix encoding issues in JS callbacks.

[1.5.4] 2017-10-11

• Performance improvements.
• Update documentation URLs.
• Improve IP address detection.
• Fixed behavior on invalid or unknown IP addresses.
• Fixed behavior when receiving bytes instead of strings in DB-API 2.0 methods.

[1.5.3] 2017-09-26

• Upgrade vendored dependencies.
• Performance improvements.

[1.5.2] 2017-09-15

• Unusual clash between vendored and app libraries.
• Performance improvements.

[1.5.1] 2017-08-29

• Performance regression.

[1.5.0] 2017-08-28

• Add support for IP passlist and denylist.
• Add support for Pyramid 1.8 and 1.9.
• Corner-case bug on non-blocking rules.
• Smaller memory footprint.

[1.4.0] 2017-08-17

• Improve login mechanism with smaller payloads.

[1.3.2] 2017-06-28

• Add support for reverse proxy in the configuration file
• Fix PostgreSQL support when using Django 1.11 and Python 3

[1.3.1] 2017-05-09

• Correctly handle HTTP requests with some empty field

[1.3.0] 2017-04-24

• Add compatibility for Django 1.11
• Add the attack page

[1.2.1] 2017-04-12

• Improve the data collected with the automatic user context when using Django.
• Fix a possible regression in startup time when using gunicorn with a gevent worker.

[1.2.0] 2017-04-05

• Improve the quality of data we get for HTTP code.

[1.1.0] 2017-03-23

• The agent detect when the Flask or Django application is in debug mode and skip the cleanup in order to fasten the exit.
• The agent now correctly detect when the application is launched in a interactive interpreter environment with manage.py shell and doesn't launch.
• Reduce startup overhead.
• Improve compatibility with Newrelic.

[1.0.3] 2017-03-10

• Add official support for Django 1.6 and Django 1.7.
• Ensure the agent use a compatible version of urllib3 in all cases.

[1.0.2] 2017-01-16

• Prepare the agent for a future user related feature.

[1.0.1] 2017-01-09

• Fix a last minute regression on a monitoring feature.

[1.0.0] 2017-01-06

• Add support for Pyramid framework versions 1.6 and 1.7.
• Add support for Python 3.6.
• Display a message when the agent starts if it detect a not-supported framework version or Python version.
• Improve performances on Django when the response is 404.
• Reduce startup time.

[0.9.3] 2016-11-30

• Add support for XSS protection with Jinja2.
• Remove agent logging from Python raven breadcrumbs integration.
• Greatly improve memory consumption of the agent.

[0.9.2] 2016-11-16

• The client IP is now more accurate when proxies are present in the network architecture.
• Greatly improve performance when checking SQL queries for SQL injections.
• Fix a bug with DjangoRestFramework 3.3.X that could lead to empty POST parameters.

[0.9.1] 2016-10-28

• Update version of the shipped Urllib3 dependency.

[0.9.0] 2016-10-26

• Add a new layer of security to the Python agent.
• Small performances improvements.
• Fix a regression with Flask integration about handling X-Forwarded-For header.

[0.8.13] 2016-10-10

• Add support for the basic authentication SDK, see our documentation for more information how to enable it.

[0.8.12] 2016-10-07

• Add support for paths passlist.
• Improve detection of situations where the Python agent shouldn't starts.

[0.8.11] 2016-10-06

• Bump the minimum version of PyMiniRacer to be sure to use the latest most performant one.

[0.8.10] 2016-10-03

• Make the Python agent more network friendly.

[0.8.9] 2016-09-26

• Fix an edge-case that could sends twice the query parameters.

[0.8.8] 2016-09-21

• Improve general performance of the Python agent.
• Fix edge-case that could lead the agent to returns an incorrect client IP.

[0.8.7] 2016-09-12

• Fix issue with some Django authentication backends that prevents account activity monitoring.

[0.8.6] 2016-09-09

• Fix a bug when the configuration file is invalid, now the Sqreen agent displays a clean message explaining that it cannot start.

[0.8.5] 2016-09-08

• Add a better integration with Flask, the data showed on the dashboard should be more precise and consistent with the data Flask parses and exposes.
• Fix a bug with Python3 and headers insertion.
• Fix a bug where the XSS protection protect even in learning mode.
• Fix a bug with the XSS protection that could send log messages to the application.
• Fix a double instrumentation bug that could happen with some WSGI servers.

[0.8.4] 2016-08-16

• Fix a bug caused by the interaction between SQL protection and psycopg2 register_type.

[0.8.3] 2016-08-12

• Add better support for Django framework, the requests should be more precise and match information you could find in your logs.

[0.8.2] 2016-08-11

• Fix the bug that consume file upload, making the file unavailable for the application.

[0.8.1] 2016-08-11

• Fix a bug that makes the Sqreen agent to block during starting.

[0.8.0] 2016-08-10

• Add support for dynamic rules.

[0.7.2] 2016-07-29

• Update the Python agent to compute the client-ip using the X-FORWARDED-FOR header if present, you should now see the real client ip.

[0.7.1] 2016-07-28

• Fix a bug that could send a 500 when the URL didn't match any route instead of a 404.
• Fix a bug that blocked security bots even in learning mode.

[0.7.0] 2016-07-22

• Update Django account activity monitoring to be more generic and not depends on the Django authentication backend configured.

[0.6.0] 2016-07-20

• Improve the performance of the Sqreen agent when no attacks is detected.

[0.5.0] 2016-06-30

• The Python agent now correctly detects the pyramid framework, but it's not supported yet.
• Improve HTTP performance when interacting with the backend.

[0.4.0] 2016-06-23

• Add support for account activity monitoring.
• Add support for crawlers monitoring.

[0.3.0] 2016-06-16

First version!