Ruby microagent release notes

[1.25.1] 2022-02-22

  • Add compatibility with ddtrace 1.0
  • Fix issue on WAF garbage collection

[1.25.0] 2022-01-25

  • Switch from old sq_mini_racer to upstream mini_racer
  • Support Ruby 3.1
  • Restrict compatiblity to Ruby 2.6 and up

Note: This update mainly aims to support Ruby 3.1. There may be issues installing mini_racer related to a bundler change regarding platform resolution. Make sure to update rubygems and bundler to latest versions, and use bundler lock --add-platform. See opened issues at https://github.com/rubyjs/mini_racer and https://github.com/rubyjs/libv8-node for known solutions.

[1.24.3] 2021-12-10

  • Fix WAF exception reporting corner case

[1.24.2] 2021-12-07

  • Fix kwargs for rule callbacks on Ruby 3+
  • Fix properties propagation for custom events
  • Fix Devise key type mismatch for signup

[1.24.1] 2021-07-16

  • Add Datadog trace keeping through sampling
  • Improve Datadog correlation compatibility with Sinatra
  • Improve attack event correlation with Datadog spans
  • Tag attack correlated span with sqreen.event: true

[1.24.0] 2021-04-30

  • Add Sqreen event correlation with Datadog traces

[1.23.2] 2021-04-29

  • Fix compatibility with NewRelic for attack events
  • Fix incorrect rule rejection despite all signature checks individually passing

[1.23.1] 2021-02-24

  • Improve compatibility with some gems (such as puma 5.x or graphql) on Ruby 3.0
  • Drop support for Ruby 1.9.3

[1.23.0] 2021-01-15

  • Add support for GraphQL

[1.22.1] 2020-12-16

  • Fix excessive exception reporting, reducing CPU and network load
  • Fix sensitive information attachment on pure tracing payloads
  • Redact more sensitive fields by default
  • Ensure preliminary compatibility with Ruby 3.0 previews
  • Allow update to Sqreen MiniRacer 0.3.1

Note: this version is the last version supporting Ruby 1.9.3

[1.22.0] 2020-11-02

  • Update WAF via libsqreen
  • Add support for raw body
  • Improve signature check
  • Improve APM detection

[1.21.1] 2020-10-07

[1.21.0] 2020-09-16

  • Add support for transport and tracing facilities

[1.20.4] 2020-09-16

  • Fix missing budget check
  • Improve performance
  • Align internal setting name for WAF
  • Include response information in all payloads
  • Improve robustness against invalid Unicode
  • Prevent rule execution to pursue in early block cases

[1.20.4.beta1] 2020-08-14

  • Add optional dynamic time budget prototype
  • Add advanced per request metrics
  • Improve robustness against exception in instrumentation
  • Improve metric engine thread safety
  • Restrict deferred logger to final logger severity on agent boot

[1.20.3] 2020-07-30

  • Fix protection rule signature check

[1.20.2] 2020-07-23

  • Fix performance regression in instrumentation engine

[1.20.1] 2020-06-24

  • Add fallback mechanisms when connecting to new Sqreen backend API domains

[1.20.0] 2020-06-18

  • Enable new instrumentation engine by default
  • Add signal-based backend communication

[1.19.4] 2020-07-30

  • Fix protection rule signature check

[1.19.3] 2020-06-06

  • Improve WAF PII protection

[1.19.2] 2020-06-03

  • Handle unexpected rule callback return values more gracefully
  • Fix incorrect return value for 404 native callback

[1.19.1] 2020-06-01

  • Fix LocalJumpError with nested Rack apps

[1.19.0] 2020-05-29

  • Upgrade WAF features via libsqreen 0.6.1
  • Improve time defensiveness in WAF
  • Improve compatibility with APM agents via a new optional instrumentation engine
  • Fix action reloading not being entirely cleared on reload
  • Improve handling of hash symbol keys in some security rules
  • Fix constant resolution scope on agent boot

[1.18.6] 2020-02-12

  • Fix issue when time budget is disabled

[1.18.5] 2020-02-11

  • Fix type mismatch error in WAF

[1.18.4] 2020-02-10

  • Fix instrumentation conflict when a class defines a send method
  • Fix compatibility with Sorbet type checker
  • Improve WAF time budget handling

[1.18.3] 2019-12-19

  • Improve PII protection
  • Improve performance on sizeable request payloads
  • Improve handling of Rails without a database
  • Improve compatibility with Rack and Sinatra middlewares
  • Support JSON payloads with rack-contrib PostBodyContentParser
  • Add libsqreen toggle to configuration
  • Prepare for Ruby 2.7 support
  • Include license file in gem

[1.18.2] 2019-11-12

  • Improve internal WAF error reporting
  • Update license information
  • Improve runtime performance when handling HTTP 404s

[1.18.1] 2019-10-25

  • Improve handling of scoped IPv6 addresses
  • Remove spurious warning on Rails 6
  • Add missing WAF constant check

[1.18.0] 2019-10-15

  • Support for In-App WAF

[1.17.2] 2019-08-30

  • Support Rails 6.0 (single database mode)
  • Improve output of logging
  • Fix user signup tracking issue
  • Improve performance of user tracking
  • Improve reliability of user tracking against performance budget
  • Support Sinatra 2.0
  • Improve Sqreen thread boot when using Unicorn, Rainbows, Puma, Passenger, Thin, Webrick
  • Improve overall performance budget consistency
  • Improve Javascript rule processing of preconditions
  • Remove extraneous log output on CLI tool execution

[1.17.0] 2019-03-23

  • Implement HTTP Response Code, Content-Type, and Content-Length in relevant sqreen events
  • Enhance reliability in case of unavailability of the backend
  • Handle communication exceptions more gracefully
  • Improve handling and sanitization of non-UTF8 encodings
  • Avoid concurrent hash modification during iteration
  • Improve feedback accuracy in logs

[1.16.2] 2019-02-14

  • Improve handling of maximum request execution time setting
  • Improved log clarity when using a forking server
  • Fix case sensitive configuration keys handling
  • Improved reliabilty on concurrent access to a hash
  • Support Ruby 2.6

[1.16.1] 2019-01-18

  • Fix bugs in low memory JavaScript paths

[1.16.0] 2019-01-18

  • Implement redirect_user action
  • Improve performance of JavaScript rules
  • Support Organization Token

[1.15.8] 2019-01-07

  • Improve JavaScript engine memory usage

[1.15.7] 2018-11-28

  • Improve performance of IP denylisting

[1.15.7.beta1] 2018-11-22

  • Improve serialization of arguments to rule engine (MRI Ruby only)

[1.15.6] 2018-11-21

  • Avoid errors on Sqreen SDK method call when Sqreen is not yet configured

[1.15.5] 2018-11-15

  • Reduce overhead of performance monitoring

[1.15.4] 2018-11-14

  • Fix JS functions sometimes interfering with each other

[1.15.3] 2018-11-08

  • User customization of sensitive data purging
  • Ignore redundant rules_reload commands
  • Eliminate reentering protection in request start/end hooks
  • Add logging statements

[1.15.2] 2018-10-31

  • Fix exception when evaluating actions without the server having sent the actions_reload command
  • Fix reporting of such an exception

[1.15.1] 2018-10-29

  • Improve performance of large number of IP blocks
  • Changed order in which actions, passlisting and denylisting are evaluated
  • Improve serialization of arguments to JS functions (MRI only)

[1.15.0] 2018-10-24

  • Improve memory usage
  • Fix uninitialized @@issue_nojs_warn
  • Fix FloatDomainError when binning value is 0

[1.14.2] 2018-10-02

  • Fix error when instrumented method is called between requests and measuring agent performance
  • Fix encoding error when passing arguments to mini_racer
  • Work around bug causing Ruby 2.5.0 and 2.5.1 to segfault
  • Fix JavaScript usage in jRuby (Rhino contexts cannot cross threads)
  • Increase minimum version of sq_mini_racer to 0.2.2.sqreen1

[1.14.1] 2018-09-21

  • Improve agent performance monitoring collection

[1.14.0] 2018-09-12

  • Improve log msgs for block and redirect (and make block a warning)
  • Avoid v8 instances being created in master processes (before forking)

[1.14.0.beta3] 2018-09-06

  • Remove dependency on therubyracer
  • Upgrade sq_mini_racer
  • Set mini_racer flag noconcurrent_recompilation

[1.14.0.beta2] 2018-08-20

  • Fixed sq_mini_racer not being declared as a runtime dependency

[1.14.0.beta1] 2018-08-20

  • Fix exception in XSS callback for HAML 4 script lines
  • Introduce sq_mini_racer (fork of mini_racer)

[1.13.4] 2018-08-16

  • Fixed literals in HAML 4 being improperly escaped
  • Fixed exception in XSS callback when some input is not UTF-8 encoded

[1.13.3] 2018-08-13

  • Redact sensitive data before sending it to Sqreen's servers
  • Specify a minimum version of therubyracer

[1.13.2] 2018-07-23

  • Explicitly ignore uncaught Sqreen::AttackBlocked exceptions on Sentry and NewRelic

[1.13.1] 2018-07-18

  • Force mini_racer gem dependency version to 0.1.x

[1.13.0] 2018-07-04

  • Implement the block_user security response
  • Add ip_header configuration option
  • Prevent double instrumentation of instance methods
  • Support performance metrics

[1.12.0] 2018-05-31

  • Add support for security responses

[1.11.3] 2018-03-26

  • Improve workaround about uncommon potential segfault happenning in Ruby 2.5.0

[1.11.2] 2018-03-21

  • Workaround uncommon potential segfault happenning in Ruby 2.5.0

[1.11.1] 2018-03-20

  • Improve performance of agent in the request cycle

[1.11.0] 2018-03-07

  • Add limit of protection runtime through settings
  • Improve performance of XSS related protections
  • Change NewRelic performance reports to use custom attributes instead of custom metrics
  • Add a way to display overhead per request in logs

[1.10.5] 2018-02-22

  • Fix compatibility issue with delayed_job workers
  • Fix infrequent logging error
  • Improve speed of WAF-like rule

[1.10.4] 2018-02-20

  • Fix instrumentation when Sqreen is used with skylight
  • Improve security plugins signature handling when Oj is present

[1.10.3] 2018-02-15

  • Further improments of sqreen-alt memory profile

[1.10.2] 2018-02-15

  • Improve memory profile of sqreen-alt

[1.10.1] 2018-02-14

  • Fix memory leak that can occur when reloading protection in sqreen-alt

[1.10.0] 2018-02-14

  • Publish sqreen-alt gem that uses mini_racer as rule engine
  • Change local rule storage

[1.9.2] 2018-02-06

  • Look for XSS in raw erb templates (<%== %>)
  • Fix data report format when retrying delivery

[1.9.1] 2018-01-22

  • Fix observing the first request of an app server on sinatra

[1.9.0] 2018-01-22

  • Add identify method to SDK to tag a user on a request
  • Group attacks and metrics observed per requests
  • Update attack blocked page template
  • Tune ip detection
  • Fix corner case that would occur when the request had very deep hash of parameters

[1.8.5] 2017-10-18

  • Fix an issue when trying to compile slim templates containing modifier if (e.g. == expr if something)

[1.8.4] 2017-10-17

  • Better support old version of json libraries

[1.8.3] 2017-10-04

  • Improve resilience on badly shaped request environment

[1.8.2] 2017-09-25

  • Improve performance of SQL injection detection
  • Improve ip address detection on private networks

[1.8.1] 2017-08-09

  • Ensure that rules are correctly reapplied after a process fork

[1.8.0] 2017-08-07

  • Smaller login payloads
  • make disable accept more value as true
  • Add version of Sqreen gem in User-Agent

[1.7.2] 2017-07-18

  • Improve speed of early attack detection
  • Correctly disable early attack detection when a request is added to the passlist

[1.7.1] 2017-07-10

  • Fixes some security rules getting lost when applying passlist rules

[1.7.0] 2017-06-30

  • Completely redesigned passlist/denylist support
  • Better support badly encoded strings in parameters

[1.6.5] 2017-06-09

  • Only escape maliciously injected reflected values
  • Better File parameters handling

[1.6.4] 2017-05-29

  • Accept more kind of values in Haml protection

[1.6.3] 2017-05-22

  • Improve Haml5 support

[1.6.2] 2017-05-16

  • Display custom error page when an attack in cached in the templates

[1.6.1] 2017-05-15

  • Ensure all protection use the selected protection mode behavior

[1.6.0] 2017-05-12

  • More early attack detection rules
  • Refactor dynamic rules execution

[1.5.0] 2017-04-18

  • Use ERB inside sqreen.yml config file
  • Disable Sqreen through config file

[1.4.3] 2017-04-07

  • More support for HAML & Slim templating engines
  • Capturing more slightly more detailed traffic metrics

[1.4.2] 2017-03-28

  • Parameter inclusion check was too wide

[1.4.0] 2017-03-27

  • Initial support for HAML templating engine (reflected XSS)
  • Initial support for adding a request path to the passlist
  • Change patch numbering system

[1.3.2] 2017-03-09

  • Faster exit when application is in development mode

[1.3.1] 2017-03-06

  • Improve error logs

[1.3.0] 2017-02-23

  • More stable middleware instrumentation
  • Fix encoding objects when sending to Sqreen

[1.2.0] 2017-01-20

  • Improve error logs

[1.1.5] 2016-12-15

  • Better metrics collection

[1.1.4] 2016-12-15

  • Do not start by default in cucumber environment

[1.1.2] 2016-12-14

  • Improve security APIs statistics collection
  • Stop freezing user-agent strings

[1.1.1] 2016-12-07

  • Improve IP address selection heuristic

[1.1.0] 2016-12-06

[1.0.0] 2016-12-05

  • Improved agent network communication performance (new agent login)

[0.8.1] 2016-06-06

  • Improved performance (pre-conditions fix)

[0.8.0] 2016-05-30

  • New feature: Suspicious activities on accounts
  • New feature: Content Security Policy management

[0.7.X] 2016-04-20