Ruby microagent release notes

---

[1.23.1] 2021-02-24

• Improve compatibility with some gems (such as puma 5.x or graphql) on Ruby 3.0
• Drop support for Ruby 1.9.3

[1.23.0] 2021-01-15

• Add support for GraphQL

[1.22.1] 2020-12-16

• Fix excessive exception reporting, reducing CPU and network load
• Fix sensitive information attachment on pure tracing payloads
• Redact more sensitive fields by default
• Ensure preliminary compatibility with Ruby 3.0 previews
• Allow update to Sqreen MiniRacer 0.3.1

Note: this version is the last version supporting Ruby 1.9.3

[1.22.0] 2020-11-02

• Update WAF via libsqreen
• Add support for raw body
• Improve signature check
• Improve APM detection

[1.21.1] 2020-10-07

• Work around NewRelic initialisation issue (newrelic-ruby-agent#461)

[1.21.0] 2020-09-16

• Add support for transport and tracing facilities

[1.20.4] 2020-09-16

• Fix missing budget check
• Improve performance
• Align internal setting name for WAF
• Include response information in all payloads
• Improve robustness against invalid Unicode
• Prevent rule execution to pursue in early block cases

[1.20.4.beta1] 2020-08-14

• Add optional dynamic time budget prototype
• Add advanced per request metrics
• Improve robustness against exception in instrumentation
• Improve metric engine thread safety
• Restrict deferred logger to final logger severity on agent boot

[1.20.3] 2020-07-30

• Fix protection rule signature check

[1.20.2] 2020-07-23

• Fix performance regression in instrumentation engine

[1.20.1] 2020-06-24

• Add fallback mechanisms when connecting to new Sqreen backend API domains

[1.20.0] 2020-06-18

• Enable new instrumentation engine by default
• Add signal-based backend communication

[1.19.4] 2020-07-30

• Fix protection rule signature check

[1.19.3] 2020-06-06

• Improve WAF PII protection

[1.19.2] 2020-06-03

• Handle unexpected rule callback return values more gracefully
• Fix incorrect return value for 404 native callback

[1.19.1] 2020-06-01

• Fix LocalJumpError with nested Rack apps

[1.19.0] 2020-05-29

• Upgrade WAF features via libsqreen 0.6.1
• Improve time defensiveness in WAF
• Improve compatibility with APM agents via a new optional instrumentation engine
• Fix action reloading not being entirely cleared on reload
• Improve handling of hash symbol keys in some security rules
• Fix constant resolution scope on agent boot

[1.18.6] 2020-02-12

• Fix issue when time budget is disabled

[1.18.5] 2020-02-11

• Fix type mismatch error in WAF

[1.18.4] 2020-02-10

• Fix instrumentation conflict when a class defines a send method
• Fix compatibility with Sorbet type checker
• Improve WAF time budget handling

[1.18.3] 2019-12-19

• Improve PII protection
• Improve performance on sizeable request payloads
• Improve handling of Rails without a database
• Improve compatibility with Rack and Sinatra middlewares
• Support JSON payloads with rack-contrib PostBodyContentParser
• Add libsqreen toggle to configuration
• Prepare for Ruby 2.7 support
• Include license file in gem

[1.18.2] 2019-11-12

• Improve internal WAF error reporting
• Update license information
• Improve runtime performance when handling HTTP 404s

[1.18.1] 2019-10-25

• Improve handling of scoped IPv6 addresses
• Remove spurious warning on Rails 6
• Add missing WAF constant check

[1.18.0] 2019-10-15

• Support for In-App WAF

[1.17.2] 2019-08-30

• Support Rails 6.0 (single database mode)
• Improve output of logging
• Fix user signup tracking issue
• Improve performance of user tracking
• Improve reliability of user tracking against performance budget
• Support Sinatra 2.0
• Improve Sqreen thread boot when using Unicorn, Rainbows, Puma, Passenger, Thin, Webrick
• Improve overall performance budget consistency
• Improve Javascript rule processing of preconditions
• Remove extraneous log output on CLI tool execution

[1.17.0] 2019-03-23

• Implement HTTP Response Code, Content-Type, and Content-Length in relevant sqreen events
• Enhance reliability in case of unavailability of the backend
• Handle communication exceptions more gracefully
• Improve handling and sanitization of non-UTF8 encodings
• Avoid concurrent hash modification during iteration
• Improve feedback accuracy in logs

[1.16.2] 2019-02-14

• Improve handling of maximum request execution time setting
• Improved log clarity when using a forking server
• Fix case sensitive configuration keys handling
• Improved reliabilty on concurrent access to a hash
• Support Ruby 2.6

[1.16.1] 2019-01-18

• Fix bugs in low memory JavaScript paths

[1.16.0] 2019-01-18

• Implement redirect_user action
• Improve performance of JavaScript rules
• Support Organization Token

[1.15.8] 2019-01-07

• Improve JavaScript engine memory usage

[1.15.7] 2018-11-28

• Improve performance of IP denylisting

[1.15.7.beta1] 2018-11-22

• Improve serialization of arguments to rule engine (MRI Ruby only)

[1.15.6] 2018-11-21

• Avoid errors on Sqreen SDK method call when Sqreen is not yet configured

[1.15.5] 2018-11-15

• Reduce overhead of performance monitoring

[1.15.4] 2018-11-14

• Fix JS functions sometimes interfering with each other

[1.15.3] 2018-11-08

• User customization of sensitive data purging
• Ignore redundant rules_reload commands
• Eliminate reentering protection in request start/end hooks
• Add logging statements

[1.15.2] 2018-10-31

• Fix exception when evaluating actions without the server having sent the actions_reload command
• Fix reporting of such an exception

[1.15.1] 2018-10-29

• Improve performance of large number of IP blocks
• Changed order in which actions, passlisting and denylisting are evaluated
• Improve serialization of arguments to JS functions (MRI only)

[1.15.0] 2018-10-24

• Improve memory usage
• Fix uninitialized @@issue_nojs_warn
• Fix FloatDomainError when binning value is 0

[1.14.2] 2018-10-02

• Fix error when instrumented method is called between requests and measuring agent performance
• Fix encoding error when passing arguments to mini_racer
• Work around bug causing Ruby 2.5.0 and 2.5.1 to segfault
• Fix JavaScript usage in jRuby (Rhino contexts cannot cross threads)
• Increase minimum version of sq_mini_racer to 0.2.2.sqreen1

[1.14.1] 2018-09-21

• Improve agent performance monitoring collection

[1.14.0] 2018-09-12

• Improve log msgs for block and redirect (and make block a warning)
• Avoid v8 instances being created in master processes (before forking)

[1.14.0.beta3] 2018-09-06

• Remove dependency on therubyracer
• Upgrade sq_mini_racer
• Set mini_racer flag noconcurrent_recompilation

[1.14.0.beta2] 2018-08-20

• Fixed sq_mini_racer not being declared as a runtime dependency

[1.14.0.beta1] 2018-08-20

• Fix exception in XSS callback for HAML 4 script lines
• Introduce sq_mini_racer (fork of mini_racer)

[1.13.4] 2018-08-16

• Fixed literals in HAML 4 being improperly escaped
• Fixed exception in XSS callback when some input is not UTF-8 encoded

[1.13.3] 2018-08-13

• Redact sensitive data before sending it to Sqreen's servers
• Specify a minimum version of therubyracer

[1.13.2] 2018-07-23

• Explicitly ignore uncaught Sqreen::AttackBlocked exceptions on Sentry and NewRelic

[1.13.1] 2018-07-18

• Force mini_racer gem dependency version to 0.1.x

[1.13.0] 2018-07-04

• Implement the block_user security response
• Add ip_header configuration option
• Prevent double instrumentation of instance methods
• Support performance metrics

[1.12.0] 2018-05-31

• Add support for security responses

[1.11.3] 2018-03-26

• Improve workaround about uncommon potential segfault happenning in Ruby 2.5.0

[1.11.2] 2018-03-21

• Workaround uncommon potential segfault happenning in Ruby 2.5.0

[1.11.1] 2018-03-20

• Improve performance of agent in the request cycle

[1.11.0] 2018-03-07

• Add limit of protection runtime through settings
• Improve performance of XSS related protections
• Change NewRelic performance reports to use custom attributes instead of custom metrics
• Add a way to display overhead per request in logs

[1.10.5] 2018-02-22

• Fix compatibility issue with delayed_job workers
• Fix infrequent logging error
• Improve speed of WAF-like rule

[1.10.4] 2018-02-20

• Fix instrumentation when Sqreen is used with skylight
• Improve security plugins signature handling when Oj is present

[1.10.3] 2018-02-15

• Further improments of sqreen-alt memory profile

[1.10.2] 2018-02-15

• Improve memory profile of sqreen-alt

[1.10.1] 2018-02-14

• Fix memory leak that can occur when reloading protection in sqreen-alt

[1.10.0] 2018-02-14

• Publish sqreen-alt gem that uses mini_racer as rule engine
• Change local rule storage

[1.9.2] 2018-02-06

• Look for XSS in raw erb templates (<%== %>)
• Fix data report format when retrying delivery

[1.9.1] 2018-01-22

• Fix observing the first request of an app server on sinatra

[1.9.0] 2018-01-22

• Add identify method to SDK to tag a user on a request
• Group attacks and metrics observed per requests
• Update attack blocked page template
• Tune ip detection
• Fix corner case that would occur when the request had very deep hash of parameters

[1.8.5] 2017-10-18

• Fix an issue when trying to compile slim templates containing modifier if (e.g. == expr if something)

[1.8.4] 2017-10-17

• Better support old version of json libraries

[1.8.3] 2017-10-04

• Improve resilience on badly shaped request environment

[1.8.2] 2017-09-25

• Improve performance of SQL injection detection
• Improve ip address detection on private networks

[1.8.1] 2017-08-09

• Ensure that rules are correctly reapplied after a process fork

[1.8.0] 2017-08-07

• Smaller login payloads
• make disable accept more value as true
• Add version of Sqreen gem in User-Agent

[1.7.2] 2017-07-18

• Improve speed of early attack detection
• Correctly disable early attack detection when a request is added to the passlist

[1.7.1] 2017-07-10

• Fixes some security rules getting lost when applying passlist rules

[1.7.0] 2017-06-30

• Completely redesigned passlist/denylist support
• Better support badly encoded strings in parameters

[1.6.5] 2017-06-09

• Only escape maliciously injected reflected values
• Better File parameters handling

[1.6.4] 2017-05-29

• Accept more kind of values in Haml protection

[1.6.3] 2017-05-22

• Improve Haml5 support

[1.6.2] 2017-05-16

• Display custom error page when an attack in cached in the templates

[1.6.1] 2017-05-15

• Ensure all protection use the selected protection mode behavior

[1.6.0] 2017-05-12

• More early attack detection rules
• Refactor dynamic rules execution

[1.5.0] 2017-04-18

• Use ERB inside sqreen.yml config file
• Disable Sqreen through config file

[1.4.3] 2017-04-07

• More support for HAML & Slim templating engines
• Capturing more slightly more detailed traffic metrics

[1.4.2] 2017-03-28

• Parameter inclusion check was too wide

[1.4.0] 2017-03-27

• Initial support for HAML templating engine (reflected XSS)
• Initial support for adding a request path to the passlist
• Change patch numbering system

[1.3.2] 2017-03-09

• Faster exit when application is in development mode

[1.3.1] 2017-03-06

• Improve error logs

[1.3.0] 2017-02-23

• More stable middleware instrumentation
• Fix encoding objects when sending to Sqreen

[1.2.0] 2017-01-20

• Improve error logs

[1.1.5] 2016-12-15

• Better metrics collection

[1.1.4] 2016-12-15

• Do not start by default in cucumber environment

[1.1.2] 2016-12-14

• Improve security APIs statistics collection
• Stop freezing user-agent strings

[1.1.1] 2016-12-07

• Improve IP address selection heuristic

[1.1.0] 2016-12-06

• Authentication SDK (documentation)

[1.0.0] 2016-12-05

• Improved agent network communication performance (new agent login)

[0.8.1] 2016-06-06

• Improved performance (pre-conditions fix)

[0.8.0] 2016-05-30

• New feature: Suspicious activities on accounts
• New feature: Content Security Policy management

[0.7.X] 2016-04-20

• First version published to Rubygems