Ruby microagent release notes¶

[1.24.1] 2021-07-16

Add Datadog trace keeping through sampling
Improve Datadog correlation compatibility with Sinatra
Improve attack event correlation with Datadog spans
Tag attack correlated span with sqreen.event: true

[1.24.0] 2021-04-30

Add Sqreen event correlation with Datadog traces

[1.23.2] 2021-04-29

Fix compatibility with NewRelic for attack events
Fix incorrect rule rejection despite all signature checks individually passing

[1.23.1] 2021-02-24

Improve compatibility with some gems (such as puma 5.x or graphql) on Ruby 3.0
Drop support for Ruby 1.9.3

[1.23.0] 2021-01-15

Add support for GraphQL

[1.22.1] 2020-12-16

Fix excessive exception reporting, reducing CPU and network load
Fix sensitive information attachment on pure tracing payloads
Redact more sensitive fields by default
Ensure preliminary compatibility with Ruby 3.0 previews
Allow update to Sqreen MiniRacer 0.3.1

Note: this version is the last version supporting Ruby 1.9.3

[1.22.0] 2020-11-02

Update WAF via libsqreen
Add support for raw body
Improve signature check
Improve APM detection

[1.21.1] 2020-10-07

Work around NewRelic initialisation issue (newrelic-ruby-agent#461)

[1.21.0] 2020-09-16

Add support for transport and tracing facilities

[1.20.4] 2020-09-16

Fix missing budget check
Improve performance
Align internal setting name for WAF
Include response information in all payloads
Improve robustness against invalid Unicode
Prevent rule execution to pursue in early block cases

[1.20.4.beta1] 2020-08-14

Add optional dynamic time budget prototype
Add advanced per request metrics
Improve robustness against exception in instrumentation
Improve metric engine thread safety
Restrict deferred logger to final logger severity on agent boot

[1.20.3] 2020-07-30

Fix protection rule signature check

[1.20.2] 2020-07-23

Fix performance regression in instrumentation engine

[1.20.1] 2020-06-24

Add fallback mechanisms when connecting to new Sqreen backend API domains

[1.20.0] 2020-06-18

Enable new instrumentation engine by default
Add signal-based backend communication

[1.19.4] 2020-07-30

Fix protection rule signature check

[1.19.3] 2020-06-06

Improve WAF PII protection

[1.19.2] 2020-06-03

Handle unexpected rule callback return values more gracefully
Fix incorrect return value for 404 native callback

[1.19.1] 2020-06-01

Fix LocalJumpError with nested Rack apps

[1.19.0] 2020-05-29

Upgrade WAF features via libsqreen 0.6.1
Improve time defensiveness in WAF
Improve compatibility with APM agents via a new optional instrumentation engine
Fix action reloading not being entirely cleared on reload
Improve handling of hash symbol keys in some security rules
Fix constant resolution scope on agent boot

[1.18.6] 2020-02-12

Fix issue when time budget is disabled

[1.18.5] 2020-02-11

Fix type mismatch error in WAF

[1.18.4] 2020-02-10

Fix instrumentation conflict when a class defines a send method
Fix compatibility with Sorbet type checker
Improve WAF time budget handling

[1.18.3] 2019-12-19

Improve PII protection
Improve performance on sizeable request payloads
Improve handling of Rails without a database
Improve compatibility with Rack and Sinatra middlewares
Support JSON payloads with rack-contrib PostBodyContentParser
Add libsqreen toggle to configuration
Prepare for Ruby 2.7 support
Include license file in gem

[1.18.2] 2019-11-12

Improve internal WAF error reporting
Update license information
Improve runtime performance when handling HTTP 404s

[1.18.1] 2019-10-25

Improve handling of scoped IPv6 addresses
Remove spurious warning on Rails 6
Add missing WAF constant check

[1.18.0] 2019-10-15

Support for In-App WAF

[1.17.2] 2019-08-30

Support Rails 6.0 (single database mode)
Improve output of logging
Fix user signup tracking issue
Improve performance of user tracking
Improve reliability of user tracking against performance budget
Support Sinatra 2.0
Improve Sqreen thread boot when using Unicorn, Rainbows, Puma, Passenger, Thin, Webrick
Improve overall performance budget consistency
Improve Javascript rule processing of preconditions
Remove extraneous log output on CLI tool execution

[1.17.0] 2019-03-23

Implement HTTP Response Code, Content-Type, and Content-Length in relevant sqreen events
Enhance reliability in case of unavailability of the backend
Handle communication exceptions more gracefully
Improve handling and sanitization of non-UTF8 encodings
Avoid concurrent hash modification during iteration
Improve feedback accuracy in logs

[1.16.2] 2019-02-14

Improve handling of maximum request execution time setting
Improved log clarity when using a forking server
Fix case sensitive configuration keys handling
Improved reliabilty on concurrent access to a hash
Support Ruby 2.6

[1.16.1] 2019-01-18

Fix bugs in low memory JavaScript paths

[1.16.0] 2019-01-18

Implement redirect_user action
Improve performance of JavaScript rules
Support Organization Token

[1.15.8] 2019-01-07

Improve JavaScript engine memory usage

[1.15.7] 2018-11-28

Improve performance of IP denylisting

[1.15.7.beta1] 2018-11-22

Improve serialization of arguments to rule engine (MRI Ruby only)

[1.15.6] 2018-11-21

Avoid errors on Sqreen SDK method call when Sqreen is not yet configured

[1.15.5] 2018-11-15

Reduce overhead of performance monitoring

[1.15.4] 2018-11-14

Fix JS functions sometimes interfering with each other

[1.15.3] 2018-11-08

User customization of sensitive data purging
Ignore redundant rules_reload commands
Eliminate reentering protection in request start/end hooks
Add logging statements

[1.15.2] 2018-10-31

Fix exception when evaluating actions without the server having sent the actions_reload command
Fix reporting of such an exception

[1.15.1] 2018-10-29

Improve performance of large number of IP blocks
Changed order in which actions, passlisting and denylisting are evaluated
Improve serialization of arguments to JS functions (MRI only)

[1.15.0] 2018-10-24

Improve memory usage
Fix uninitialized @@issue_nojs_warn
Fix FloatDomainError when binning value is 0

[1.14.2] 2018-10-02

Fix error when instrumented method is called between requests and measuring agent performance
Fix encoding error when passing arguments to mini_racer
Work around bug causing Ruby 2.5.0 and 2.5.1 to segfault
Fix JavaScript usage in jRuby (Rhino contexts cannot cross threads)
Increase minimum version of sq_mini_racer to 0.2.2.sqreen1

[1.14.1] 2018-09-21

Improve agent performance monitoring collection

[1.14.0] 2018-09-12

Improve log msgs for block and redirect (and make block a warning)
Avoid v8 instances being created in master processes (before forking)

[1.14.0.beta3] 2018-09-06

Remove dependency on therubyracer
Upgrade sq_mini_racer
Set mini_racer flag noconcurrent_recompilation

[1.14.0.beta2] 2018-08-20

Fixed sq_mini_racer not being declared as a runtime dependency

[1.14.0.beta1] 2018-08-20

Fix exception in XSS callback for HAML 4 script lines
Introduce sq_mini_racer (fork of mini_racer)

[1.13.4] 2018-08-16

Fixed literals in HAML 4 being improperly escaped
Fixed exception in XSS callback when some input is not UTF-8 encoded

[1.13.3] 2018-08-13

Redact sensitive data before sending it to Sqreen's servers
Specify a minimum version of therubyracer

[1.13.2] 2018-07-23

Explicitly ignore uncaught Sqreen::AttackBlocked exceptions on Sentry and NewRelic

[1.13.1] 2018-07-18

Force mini_racer gem dependency version to 0.1.x

[1.13.0] 2018-07-04

Implement the block_user security response
Add ip_header configuration option
Prevent double instrumentation of instance methods
Support performance metrics

[1.12.0] 2018-05-31

Add support for security responses

[1.11.3] 2018-03-26

Improve workaround about uncommon potential segfault happenning in Ruby 2.5.0

[1.11.2] 2018-03-21

Workaround uncommon potential segfault happenning in Ruby 2.5.0

[1.11.1] 2018-03-20

Improve performance of agent in the request cycle

[1.11.0] 2018-03-07

Add limit of protection runtime through settings
Improve performance of XSS related protections
Change NewRelic performance reports to use custom attributes instead of custom metrics
Add a way to display overhead per request in logs

[1.10.5] 2018-02-22

Fix compatibility issue with delayed_job workers
Fix infrequent logging error
Improve speed of WAF-like rule

[1.10.4] 2018-02-20

Fix instrumentation when Sqreen is used with skylight
Improve security plugins signature handling when Oj is present

[1.10.3] 2018-02-15

Further improments of sqreen-alt memory profile

[1.10.2] 2018-02-15

Improve memory profile of sqreen-alt

[1.10.1] 2018-02-14

Fix memory leak that can occur when reloading protection in sqreen-alt

[1.10.0] 2018-02-14

Publish sqreen-alt gem that uses mini_racer as rule engine
Change local rule storage

[1.9.2] 2018-02-06

Look for XSS in raw erb templates (<%== %>)
Fix data report format when retrying delivery

[1.9.1] 2018-01-22

Fix observing the first request of an app server on sinatra

[1.9.0] 2018-01-22

Add identify method to SDK to tag a user on a request
Group attacks and metrics observed per requests
Update attack blocked page template
Tune ip detection
Fix corner case that would occur when the request had very deep hash of parameters

[1.8.5] 2017-10-18

Fix an issue when trying to compile slim templates containing modifier if (e.g. == expr if something)

[1.8.4] 2017-10-17

Better support old version of json libraries

[1.8.3] 2017-10-04

Improve resilience on badly shaped request environment

[1.8.2] 2017-09-25

Improve performance of SQL injection detection
Improve ip address detection on private networks

[1.8.1] 2017-08-09

Ensure that rules are correctly reapplied after a process fork

[1.8.0] 2017-08-07

Smaller login payloads
make disable accept more value as true
Add version of Sqreen gem in User-Agent

[1.7.2] 2017-07-18

Improve speed of early attack detection
Correctly disable early attack detection when a request is added to the passlist

[1.7.1] 2017-07-10

Fixes some security rules getting lost when applying passlist rules

[1.7.0] 2017-06-30

Completely redesigned passlist/denylist support
Better support badly encoded strings in parameters

[1.6.5] 2017-06-09

Only escape maliciously injected reflected values
Better File parameters handling

[1.6.4] 2017-05-29

Accept more kind of values in Haml protection

[1.6.3] 2017-05-22

Improve Haml5 support

[1.6.2] 2017-05-16

Display custom error page when an attack in cached in the templates

[1.6.1] 2017-05-15

Ensure all protection use the selected protection mode behavior

[1.6.0] 2017-05-12

More early attack detection rules
Refactor dynamic rules execution

[1.5.0] 2017-04-18

Use ERB inside sqreen.yml config file
Disable Sqreen through config file

[1.4.3] 2017-04-07

More support for HAML & Slim templating engines
Capturing more slightly more detailed traffic metrics

[1.4.2] 2017-03-28

Parameter inclusion check was too wide

[1.4.0] 2017-03-27

Initial support for HAML templating engine (reflected XSS)
Initial support for adding a request path to the passlist
Change patch numbering system

[1.3.2] 2017-03-09

Faster exit when application is in development mode

[1.3.1] 2017-03-06

Improve error logs

[1.3.0] 2017-02-23

More stable middleware instrumentation
Fix encoding objects when sending to Sqreen

[1.2.0] 2017-01-20

Improve error logs

[1.1.5] 2016-12-15

Better metrics collection

[1.1.4] 2016-12-15

Do not start by default in cucumber environment

[1.1.2] 2016-12-14

Improve security APIs statistics collection
Stop freezing user-agent strings

[1.1.1] 2016-12-07

Improve IP address selection heuristic

[1.1.0] 2016-12-06

Authentication SDK (documentation)

[1.0.0] 2016-12-05

Improved agent network communication performance (new agent login)

[0.8.1] 2016-06-06

Improved performance (pre-conditions fix)

[0.8.0] 2016-05-30

New feature: Suspicious activities on accounts
New feature: Content Security Policy management

[0.7.X] 2016-04-20

First version published to Rubygems