Ruby microagent release notes¶ [1.25.1] 2022-02-22 Add compatibility with ddtrace 1.0 Fix issue on WAF garbage collection [1.25.0] 2022-01-25 Switch from old sq_mini_racer to upstream mini_racer Support Ruby 3.1 Restrict compatiblity to Ruby 2.6 and up Note: This update mainly aims to support Ruby 3.1. There may be issues installing mini_racer related to a bundler change regarding platform resolution. Make sure to update rubygems and bundler to latest versions, and use bundler lock --add-platform. See opened issues at https://github.com/rubyjs/mini_racer and https://github.com/rubyjs/libv8-node for known solutions. [1.24.3] 2021-12-10 Fix WAF exception reporting corner case [1.24.2] 2021-12-07 Fix kwargs for rule callbacks on Ruby 3+ Fix properties propagation for custom events Fix Devise key type mismatch for signup [1.24.1] 2021-07-16 Add Datadog trace keeping through sampling Improve Datadog correlation compatibility with Sinatra Improve attack event correlation with Datadog spans Tag attack correlated span with sqreen.event: true [1.24.0] 2021-04-30 Add Sqreen event correlation with Datadog traces [1.23.2] 2021-04-29 Fix compatibility with NewRelic for attack events Fix incorrect rule rejection despite all signature checks individually passing [1.23.1] 2021-02-24 Improve compatibility with some gems (such as puma 5.x or graphql) on Ruby 3.0 Drop support for Ruby 1.9.3 [1.23.0] 2021-01-15 Add support for GraphQL [1.22.1] 2020-12-16 Fix excessive exception reporting, reducing CPU and network load Fix sensitive information attachment on pure tracing payloads Redact more sensitive fields by default Ensure preliminary compatibility with Ruby 3.0 previews Allow update to Sqreen MiniRacer 0.3.1 Note: this version is the last version supporting Ruby 1.9.3 [1.22.0] 2020-11-02 Update WAF via libsqreen Add support for raw body Improve signature check Improve APM detection [1.21.1] 2020-10-07 Work around NewRelic initialisation issue (newrelic-ruby-agent#461) [1.21.0] 2020-09-16 Add support for transport and tracing facilities [1.20.4] 2020-09-16 Fix missing budget check Improve performance Align internal setting name for WAF Include response information in all payloads Improve robustness against invalid Unicode Prevent rule execution to pursue in early block cases [1.20.4.beta1] 2020-08-14 Add optional dynamic time budget prototype Add advanced per request metrics Improve robustness against exception in instrumentation Improve metric engine thread safety Restrict deferred logger to final logger severity on agent boot [1.20.3] 2020-07-30 Fix protection rule signature check [1.20.2] 2020-07-23 Fix performance regression in instrumentation engine [1.20.1] 2020-06-24 Add fallback mechanisms when connecting to new Sqreen backend API domains [1.20.0] 2020-06-18 Enable new instrumentation engine by default Add signal-based backend communication [1.19.4] 2020-07-30 Fix protection rule signature check [1.19.3] 2020-06-06 Improve WAF PII protection [1.19.2] 2020-06-03 Handle unexpected rule callback return values more gracefully Fix incorrect return value for 404 native callback [1.19.1] 2020-06-01 Fix LocalJumpError with nested Rack apps [1.19.0] 2020-05-29 Upgrade WAF features via libsqreen 0.6.1 Improve time defensiveness in WAF Improve compatibility with APM agents via a new optional instrumentation engine Fix action reloading not being entirely cleared on reload Improve handling of hash symbol keys in some security rules Fix constant resolution scope on agent boot [1.18.6] 2020-02-12 Fix issue when time budget is disabled [1.18.5] 2020-02-11 Fix type mismatch error in WAF [1.18.4] 2020-02-10 Fix instrumentation conflict when a class defines a send method Fix compatibility with Sorbet type checker Improve WAF time budget handling [1.18.3] 2019-12-19 Improve PII protection Improve performance on sizeable request payloads Improve handling of Rails without a database Improve compatibility with Rack and Sinatra middlewares Support JSON payloads with rack-contrib PostBodyContentParser Add libsqreen toggle to configuration Prepare for Ruby 2.7 support Include license file in gem [1.18.2] 2019-11-12 Improve internal WAF error reporting Update license information Improve runtime performance when handling HTTP 404s [1.18.1] 2019-10-25 Improve handling of scoped IPv6 addresses Remove spurious warning on Rails 6 Add missing WAF constant check [1.18.0] 2019-10-15 Support for In-App WAF [1.17.2] 2019-08-30 Support Rails 6.0 (single database mode) Improve output of logging Fix user signup tracking issue Improve performance of user tracking Improve reliability of user tracking against performance budget Support Sinatra 2.0 Improve Sqreen thread boot when using Unicorn, Rainbows, Puma, Passenger, Thin, Webrick Improve overall performance budget consistency Improve Javascript rule processing of preconditions Remove extraneous log output on CLI tool execution [1.17.0] 2019-03-23 Implement HTTP Response Code, Content-Type, and Content-Length in relevant sqreen events Enhance reliability in case of unavailability of the backend Handle communication exceptions more gracefully Improve handling and sanitization of non-UTF8 encodings Avoid concurrent hash modification during iteration Improve feedback accuracy in logs [1.16.2] 2019-02-14 Improve handling of maximum request execution time setting Improved log clarity when using a forking server Fix case sensitive configuration keys handling Improved reliabilty on concurrent access to a hash Support Ruby 2.6 [1.16.1] 2019-01-18 Fix bugs in low memory JavaScript paths [1.16.0] 2019-01-18 Implement redirect_user action Improve performance of JavaScript rules Support Organization Token [1.15.8] 2019-01-07 Improve JavaScript engine memory usage [1.15.7] 2018-11-28 Improve performance of IP denylisting [1.15.7.beta1] 2018-11-22 Improve serialization of arguments to rule engine (MRI Ruby only) [1.15.6] 2018-11-21 Avoid errors on Sqreen SDK method call when Sqreen is not yet configured [1.15.5] 2018-11-15 Reduce overhead of performance monitoring [1.15.4] 2018-11-14 Fix JS functions sometimes interfering with each other [1.15.3] 2018-11-08 User customization of sensitive data purging Ignore redundant rules_reload commands Eliminate reentering protection in request start/end hooks Add logging statements [1.15.2] 2018-10-31 Fix exception when evaluating actions without the server having sent the actions_reload command Fix reporting of such an exception [1.15.1] 2018-10-29 Improve performance of large number of IP blocks Changed order in which actions, passlisting and denylisting are evaluated Improve serialization of arguments to JS functions (MRI only) [1.15.0] 2018-10-24 Improve memory usage Fix uninitialized @@issue_nojs_warn Fix FloatDomainError when binning value is 0 [1.14.2] 2018-10-02 Fix error when instrumented method is called between requests and measuring agent performance Fix encoding error when passing arguments to mini_racer Work around bug causing Ruby 2.5.0 and 2.5.1 to segfault Fix JavaScript usage in jRuby (Rhino contexts cannot cross threads) Increase minimum version of sq_mini_racer to 0.2.2.sqreen1 [1.14.1] 2018-09-21 Improve agent performance monitoring collection [1.14.0] 2018-09-12 Improve log msgs for block and redirect (and make block a warning) Avoid v8 instances being created in master processes (before forking) [1.14.0.beta3] 2018-09-06 Remove dependency on therubyracer Upgrade sq_mini_racer Set mini_racer flag noconcurrent_recompilation [1.14.0.beta2] 2018-08-20 Fixed sq_mini_racer not being declared as a runtime dependency [1.14.0.beta1] 2018-08-20 Fix exception in XSS callback for HAML 4 script lines Introduce sq_mini_racer (fork of mini_racer) [1.13.4] 2018-08-16 Fixed literals in HAML 4 being improperly escaped Fixed exception in XSS callback when some input is not UTF-8 encoded [1.13.3] 2018-08-13 Redact sensitive data before sending it to Sqreen's servers Specify a minimum version of therubyracer [1.13.2] 2018-07-23 Explicitly ignore uncaught Sqreen::AttackBlocked exceptions on Sentry and NewRelic [1.13.1] 2018-07-18 Force mini_racer gem dependency version to 0.1.x [1.13.0] 2018-07-04 Implement the block_user security response Add ip_header configuration option Prevent double instrumentation of instance methods Support performance metrics [1.12.0] 2018-05-31 Add support for security responses [1.11.3] 2018-03-26 Improve workaround about uncommon potential segfault happenning in Ruby 2.5.0 [1.11.2] 2018-03-21 Workaround uncommon potential segfault happenning in Ruby 2.5.0 [1.11.1] 2018-03-20 Improve performance of agent in the request cycle [1.11.0] 2018-03-07 Add limit of protection runtime through settings Improve performance of XSS related protections Change NewRelic performance reports to use custom attributes instead of custom metrics Add a way to display overhead per request in logs [1.10.5] 2018-02-22 Fix compatibility issue with delayed_job workers Fix infrequent logging error Improve speed of WAF-like rule [1.10.4] 2018-02-20 Fix instrumentation when Sqreen is used with skylight Improve security plugins signature handling when Oj is present [1.10.3] 2018-02-15 Further improments of sqreen-alt memory profile [1.10.2] 2018-02-15 Improve memory profile of sqreen-alt [1.10.1] 2018-02-14 Fix memory leak that can occur when reloading protection in sqreen-alt [1.10.0] 2018-02-14 Publish sqreen-alt gem that uses mini_racer as rule engine Change local rule storage [1.9.2] 2018-02-06 Look for XSS in raw erb templates (<%== %>) Fix data report format when retrying delivery [1.9.1] 2018-01-22 Fix observing the first request of an app server on sinatra [1.9.0] 2018-01-22 Add identify method to SDK to tag a user on a request Group attacks and metrics observed per requests Update attack blocked page template Tune ip detection Fix corner case that would occur when the request had very deep hash of parameters [1.8.5] 2017-10-18 Fix an issue when trying to compile slim templates containing modifier if (e.g. == expr if something) [1.8.4] 2017-10-17 Better support old version of json libraries [1.8.3] 2017-10-04 Improve resilience on badly shaped request environment [1.8.2] 2017-09-25 Improve performance of SQL injection detection Improve ip address detection on private networks [1.8.1] 2017-08-09 Ensure that rules are correctly reapplied after a process fork [1.8.0] 2017-08-07 Smaller login payloads make disable accept more value as true Add version of Sqreen gem in User-Agent [1.7.2] 2017-07-18 Improve speed of early attack detection Correctly disable early attack detection when a request is added to the passlist [1.7.1] 2017-07-10 Fixes some security rules getting lost when applying passlist rules [1.7.0] 2017-06-30 Completely redesigned passlist/denylist support Better support badly encoded strings in parameters [1.6.5] 2017-06-09 Only escape maliciously injected reflected values Better File parameters handling [1.6.4] 2017-05-29 Accept more kind of values in Haml protection [1.6.3] 2017-05-22 Improve Haml5 support [1.6.2] 2017-05-16 Display custom error page when an attack in cached in the templates [1.6.1] 2017-05-15 Ensure all protection use the selected protection mode behavior [1.6.0] 2017-05-12 More early attack detection rules Refactor dynamic rules execution [1.5.0] 2017-04-18 Use ERB inside sqreen.yml config file Disable Sqreen through config file [1.4.3] 2017-04-07 More support for HAML & Slim templating engines Capturing more slightly more detailed traffic metrics [1.4.2] 2017-03-28 Parameter inclusion check was too wide [1.4.0] 2017-03-27 Initial support for HAML templating engine (reflected XSS) Initial support for adding a request path to the passlist Change patch numbering system [1.3.2] 2017-03-09 Faster exit when application is in development mode [1.3.1] 2017-03-06 Improve error logs [1.3.0] 2017-02-23 More stable middleware instrumentation Fix encoding objects when sending to Sqreen [1.2.0] 2017-01-20 Improve error logs [1.1.5] 2016-12-15 Better metrics collection [1.1.4] 2016-12-15 Do not start by default in cucumber environment [1.1.2] 2016-12-14 Improve security APIs statistics collection Stop freezing user-agent strings [1.1.1] 2016-12-07 Improve IP address selection heuristic [1.1.0] 2016-12-06 Authentication SDK (documentation) [1.0.0] 2016-12-05 Improved agent network communication performance (new agent login) [0.8.1] 2016-06-06 Improved performance (pre-conditions fix) [0.8.0] 2016-05-30 New feature: Suspicious activities on accounts New feature: Content Security Policy management [0.7.X] 2016-04-20 First version published to Rubygems