Python microagent release notes

[1.27.4] 2021-10-04

  • Limit idle connections to a single per outdoing domain.

[1.27.3] 2021-10-04

  • Fix a deprecated method in Python 3.9.

[1.27.2] 2021-07-21

  • Retain Datadog traces bound to Sqreen events.

[1.27.1] 2021-05-12

  • Fix coroutine instrumentation on Python 3.8 and newer.

[1.27.0] 2021-04-06

  • Falcon framework support.
  • ddtrace integration.
  • Fix static rules loading several times.

[1.26.2] 2021-03-11

  • Fix In-App WAF testing rules running more than once.

[1.26.1] 2021-03-11

  • Raise the amount of time the agent waits for instrumentation to 10s.
  • Update log messages.
  • Fix an aiohttp issue with the In-App WAF.

[1.26.0] 2021-02-23

  • Instrument some frameworks earlier in the startup process.
  • Report framework endpoints in HTTP traces.
  • Fix the WSGI middleware that was preventing headers mutation.
  • Fix a float convertion issue on Python 2.
  • Fix a unicode issue on Python 2.

[1.25.2] 2020-12-09

  • Fix a Python 2 import regression.
  • Set the HTML Content-Type for Sqreen error pages.

[1.25.1] 2020-11-18

  • Suppress warning on Sentry SDK configuration.

[1.25.0] 2020-11-09

  • Support for Django in ASGI mode.
  • Silent Sqreen logging records in Sentry SDK.
  • Overall instrumentation improvements.

[1.24.0] 2020-10-15

  • New In-App WAF filtering primitives.
  • Support for Python 3.9.
  • Support for the collect_body option in track SDK calls.
  • Fix for applications mutating the HTTP request parameters.

[1.23.0] 2020-08-17

  • Introduced tracing for AMQP and Kafka.
  • Use the dyno name as agent hostname on Heroku.
  • Improved psycopg2 instrumentation.
  • Deprecate PROXY_URL and recommend HTTP_PROXY configuration variable.
  • Support case sensitiveness in PII key sanitization.

[1.22.0] 2020-08-04

  • Introduced tracing for databases and message brokers.

[1.21.3] 2020-07-22

  • Fix support for Flask's request.stream.

[1.21.2] 2020-07-17

  • Fix an HTTP client tracing compatibility issue on Python 3.5.

[1.21.1] 2020-07-09

  • Fix a regression with SQLalchemy due to a DBApi2 deviation.

[1.21.0] 2020-07-07

  • New blocking page design.
  • Introduced tracing for HTTP services.
  • Detect backend connectivity and use the sqreen.com domain when possible.
  • yes, y, true and 1 are now the only valid booleans in the configuration.
  • Fix possible wrong unicode decoding in Python 2.7.
  • Several performance improvements.

[1.20.3] 2020-07-03

  • Fix a performance issue in the request tracing.
  • Fix permissions of the log file.
  • Upgrade PyMiniRacer to 0.3.0.

[1.20.2] 2020-06-11

  • Improve the performance for pages using intensively the protections.

[1.20.1] 2020-06-10

  • Add support for latest versions of aiohttp (from 3.2 to 3.6).

[1.20.0] 2020-05-25

  • Beta XXE protection.
  • Improve user monitoring SDK call performance.
  • Fix a race condition in the security response store.

[1.19.0] 2020-03-26

  • Introduce static typing analysis support.
  • Improved frameworks integration.
  • Improved PII scrubbing (partial match support).
  • Introduce the STRIP_HTTP_REFERER configuration option.
  • Optimized instrumentation using the native wrapt extension.
  • Better integration with NewRelic.
  • Fix reconnection when the backend invalidates the session.

[1.18.2] 2020-03-06

  • Rollback changes expected for a future release.

[1.18.1] 2020-03-05

  • Improved support for Flask-API.
  • Improved PII scrubbing.

[1.18.0] 2020-02-03

  • Add support for the Pylons framework.
  • Fix an issue preventing the Sqreen error page to appear on Django 404 pages.
  • Introduce a new WSGI instrumentation strategy.
  • Improve arguments passing for instrumented functions.
  • Make use of the vendorized wrapt module for instrumentation.
  • Bump vendorized ipaddress module to fix a SyntaxWarning.
  • Add support for JS garbage collection from the PyMiniRacer module.

[1.17.1] 2019-12-26

  • Avoid sending an unexpected field in user monitoring

[1.17.0] 2019-12-16

  • Introduce a performance budget.
  • Better startup error reporting.
  • Multiple In-App WAF reliability and performance improvements.
  • Fix an inconsistency in Security Responses enforcement.
  • Support for Python 3.8.

[1.16.1] 2019-10-10

  • Improve the In-App WAF error reporting.
  • Better support for unicode in HTTP request headers.

[1.16.0] 2019-09-24

  • Introduce support for the In-App WAF.

[1.15.3] 2019-09-06

  • Improve rule signature verification.

[1.15.2] 2019-08-27

  • Introduce Performance Monitoring.
  • Fix an issue impacting the import of modules.
  • Improve the reliability of some protections.

[1.15.1] 2019-06-24

  • Improve HTTP request headers decoding.
  • Fix an issue preventing backtraces from being reported with security events.
  • Fix an issue that could lead to unexpected events being reported when an IP is blocked.

[1.15.0] 2019-06-06

  • Add support for user redirection security response.
  • Provide more information about HTTP response in events.
  • Improve performance for some protection mecanisms.
  • Fix an issue with Django authentication events.
  • Fix an issue that might prevent the agent from starting in forking servers.

[1.14.6] 2019-05-06

  • Reduce the maximum startup time of the agent

[1.14.5] 2019-03-26

  • Fix a regression from 1.14.4 where starting the agent without a token would take longer

[1.14.4] 2019-03-20

  • Improve the agent behaviour when the backend is experiencing difficulties
  • Make the PII scrubbing configurable through environment variables
  • Fix an issue that could result in some blocked IP not working as expected
  • Fix an issue that might cause exceptions within the agent, causing performance issues

[1.14.3] 2019-02-25

  • Fix a parsing issue on some Azure headers

[1.14.2] 2019-01-23

  • Send out more data when blocking a user agent

[1.14.1] 2019-01-23

  • Provide more data about some blocking events

[1.14.0] 2018-12-20

  • Fix memory leaks
  • Reduce memory usage

[1.13.5] 2018-12-06

  • Improve the performance of blocking/redirecting IPs

[1.13.4] 2018-10-23

  • Fix enconding issues with Python2

[1.13.3] 2018-07-10

  • Strip sensitive data before sending them to the BackEnd

[1.13.2] 2018-07-03

  • Fix the IP denylist for request without IP

[1.13.1] 2018-06-15

  • Arguments passed to SDK track function are no longer modified in-place.
  • Update vendored libraries.

[1.13.0] 2018-06-11

  • Add support for block user security response.
  • Update security responses format.

[1.12.8] 2018-05-30

  • Improve agent behavior when receiving invalid security plugin signatures.

[1.12.7] 2018-05-28

  • Fix a potential deadlock at startup with Django on Python 2.
  • Do not escape Django messages to protect against XSS.
  • Update vendored dependencies.

[1.12.6] 2018-05-24

  • Update security plugin signature validation algorithm.
  • Improve agent behavior when receiving invalid security plugin signatures.

[1.12.5] 2018-05-22

  • Add support for Python 3.7.
  • Update security responses format.

[1.12.4] 2018-05-21

  • Fix IP redirection security response behavior.
  • Fix security responses compatibility with Django 2.0.

[1.12.3] 2018-05-17

  • Improve management of HTTP timeouts when Sqreen backend is not reachable.
  • Do not run the agent within Pyramid shell.
  • Update security responses format.

[1.12.2] 2018-05-15

  • Fix communication recovery when Sqreen backend is not reachable for a while (e.g. network outage).
  • Fix security responses parsing.

[1.12.1] 2018-05-04

  • Improve security responses behavior during actions reload.

[1.12] 2018-05-03

  • Add compatibility for Flask 1.x.
  • Improve security responses behavior.

[1.11.3] 2018-04-24

  • Log and filter out invalid options key in SDK track events.
  • Add request information to SDK track events.
  • Update vendored libraries.

[1.11.2] 2018-04-23

  • Fix metrics aggregation on SDK track events.

[1.11.1] 2018-04-20

  • Fix HTTP code metrics on aiohttp.

[1.11.0] 2018-04-19

  • Add support for SDK track function.

[1.10.0] 2018-04-12

  • Add support for custom IP headers.
  • Update vendored libraries.

[1.9.0] 2018-04-03

  • Add support for aiohttp 3.0 and 3.1.

[1.8.7] 2018-03-22

  • Fix user-agent matching.
  • Fix a memory leak in JS rules execution.

[1.8.6] 2018-02-28

  • Fix disabled instrumentation with New Relic on Heroku.

[1.8.5] 2018-02-06

  • Fix HTTP code metrics on blocked attacks.

[1.8.4] 2018-02-01

  • Process preloaded Django messages.

[1.8.3] 2018-01-29

  • Don't consume Django messages when analyzing them.
  • Avoid crashing on non-string Django messages.

[1.8.2] 2018-01-26

  • Protect against malicious cookies payloads.

[1.8.1] 2018-01-17

  • Fix behavior of request recording.

[1.8.0] 2018-01-11

  • Add support for Django 2.0.
  • Add new SDK method identify.
  • Update vendored libraries.

[1.7.2] 2017-12-21

  • Don't trigger DATA_UPLOAD_MAX_MEMORY_SIZE with Django Rest Framework.

[1.7.1] 2017-12-13

  • Support for aiohttp 2.2.
  • Improve IP address detection.

[1.7.0] 2017-12-04

  • Beta support for aiohttp.

[1.6.0] 2017-11-23

  • Smaller communication payloads.
  • Updated error page.
  • Updated user agent.

[1.5.8] 2017-10-27

  • Fix passlist behavior on Gunicorn socket mode.
  • Fix authentication behavior when no request was recorded.

[1.5.7] 2017-10-23

  • Improve performances on long parameters.
  • Fix behavior on missing hookpoints.

[1.5.6] 2017-10-18

  • Don't crash when exiting uWSGI 2.0.15.

[1.5.5] 2017-10-16

  • Upgrade vendored dependencies.
  • Improve IP address detection.
  • Fix encoding issues in JS callbacks.

[1.5.4] 2017-10-11

  • Performance improvements.
  • Update documentation URLs.
  • Improve IP address detection.
  • Fixed behavior on invalid or unknown IP addresses.
  • Fixed behavior when receiving bytes instead of strings in DB-API 2.0 methods.

[1.5.3] 2017-09-26

  • Upgrade vendored dependencies.
  • Performance improvements.

[1.5.2] 2017-09-15

  • Unusual clash between vendored and app libraries.
  • Performance improvements.

[1.5.1] 2017-08-29

  • Performance regression.

[1.5.0] 2017-08-28

  • Add support for IP passlist and denylist.
  • Add support for Pyramid 1.8 and 1.9.
  • Corner-case bug on non-blocking rules.
  • Smaller memory footprint.

[1.4.0] 2017-08-17

  • Improve login mechanism with smaller payloads.

[1.3.2] 2017-06-28

  • Add support for reverse proxy in the configuration file
  • Fix PostgreSQL support when using Django 1.11 and Python 3

[1.3.1] 2017-05-09

  • Correctly handle HTTP requests with some empty field

[1.3.0] 2017-04-24

  • Add compatibility for Django 1.11
  • Add the attack page

[1.2.1] 2017-04-12

  • Improve the data collected with the automatic user context when using Django.
  • Fix a possible regression in startup time when using gunicorn with a gevent worker.

[1.2.0] 2017-04-05

  • Improve the quality of data we get for HTTP code.

[1.1.0] 2017-03-23

  • The agent detect when the Flask or Django application is in debug mode and skip the cleanup in order to fasten the exit.
  • The agent now correctly detect when the application is launched in a interactive interpreter environment with manage.py shell and doesn't launch.
  • Reduce startup overhead.
  • Improve compatibility with Newrelic.

[1.0.3] 2017-03-10

  • Add official support for Django 1.6 and Django 1.7.
  • Ensure the agent use a compatible version of urllib3 in all cases.

[1.0.2] 2017-01-16

  • Prepare the agent for a future user related feature.

[1.0.1] 2017-01-09

  • Fix a last minute regression on a monitoring feature.

[1.0.0] 2017-01-06

  • Add support for Pyramid framework versions 1.6 and 1.7.
  • Add support for Python 3.6.
  • Display a message when the agent starts if it detect a not-supported framework version or Python version.
  • Improve performances on Django when the response is 404.
  • Reduce startup time.

[0.9.3] 2016-11-30

  • Add support for XSS protection with Jinja2.
  • Remove agent logging from Python raven breadcrumbs integration.
  • Greatly improve memory consumption of the agent.

[0.9.2] 2016-11-16

  • The client IP is now more accurate when proxies are present in the network architecture.
  • Greatly improve performance when checking SQL queries for SQL injections.
  • Fix a bug with DjangoRestFramework 3.3.X that could lead to empty POST parameters.

[0.9.1] 2016-10-28

  • Update version of the shipped Urllib3 dependency.

[0.9.0] 2016-10-26

  • Add a new layer of security to the Python agent.
  • Small performances improvements.
  • Fix a regression with Flask integration about handling X-Forwarded-For header.

[0.8.13] 2016-10-10

  • Add support for the basic authentication SDK, see our documentation for more information how to enable it.

[0.8.12] 2016-10-07

  • Add support for paths passlist.
  • Improve detection of situations where the Python agent shouldn't starts.

[0.8.11] 2016-10-06

  • Bump the minimum version of PyMiniRacer to be sure to use the latest most performant one.

[0.8.10] 2016-10-03

  • Make the Python agent more network friendly.

[0.8.9] 2016-09-26

  • Fix an edge-case that could sends twice the query parameters.

[0.8.8] 2016-09-21

  • Improve general performance of the Python agent.
  • Fix edge-case that could lead the agent to returns an incorrect client IP.

[0.8.7] 2016-09-12

  • Fix issue with some Django authentication backends that prevents account activity monitoring.

[0.8.6] 2016-09-09

  • Fix a bug when the configuration file is invalid, now the Sqreen agent displays a clean message explaining that it cannot start.

[0.8.5] 2016-09-08

  • Add a better integration with Flask, the data showed on the dashboard should be more precise and consistent with the data Flask parses and exposes.
  • Fix a bug with Python3 and headers insertion.
  • Fix a bug where the XSS protection protect even in learning mode.
  • Fix a bug with the XSS protection that could send log messages to the application.
  • Fix a double instrumentation bug that could happen with some WSGI servers.

[0.8.4] 2016-08-16

  • Fix a bug caused by the interaction between SQL protection and psycopg2 register_type.

[0.8.3] 2016-08-12

  • Add better support for Django framework, the requests should be more precise and match information you could find in your logs.

[0.8.2] 2016-08-11

  • Fix the bug that consume file upload, making the file unavailable for the application.

[0.8.1] 2016-08-11

  • Fix a bug that makes the Sqreen agent to block during starting.

[0.8.0] 2016-08-10

  • Add support for dynamic rules.

[0.7.2] 2016-07-29

  • Update the Python agent to compute the client-ip using the X-FORWARDED-FOR header if present, you should now see the real client ip.

[0.7.1] 2016-07-28

  • Fix a bug that could send a 500 when the URL didn't match any route instead of a 404.
  • Fix a bug that blocked security bots even in learning mode.

[0.7.0] 2016-07-22

  • Update Django account activity monitoring to be more generic and not depends on the Django authentication backend configured.

[0.6.0] 2016-07-20

  • Improve the performance of the Sqreen agent when no attacks is detected.

[0.5.0] 2016-06-30

  • The Python agent now correctly detects the pyramid framework, but it's not supported yet.
  • Improve HTTP performance when interacting with the backend.

[0.4.0] 2016-06-23

  • Add support for account activity monitoring.
  • Add support for crawlers monitoring.

[0.3.0] 2016-06-16

First version!