{"_id":"55f4920210a10c1700af1cce","githubsync":"","project":"55db8f8f1a91690d007ad975","__v":32,"user":"55db8f7cade8080d00c73818","version":{"_id":"55db8f901a91690d007ad978","project":"55db8f8f1a91690d007ad975","__v":17,"createdAt":"2015-08-24T21:41:36.034Z","releaseDate":"2015-08-24T21:41:36.034Z","categories":["55db8f901a91690d007ad979","55db9856b3d6540d00886426","55dc751b00a8811900c230e3","55dc766255be9f21004ee250","55dc769200a8811900c230ed","55e4c701177b6e0d003330fa","55f4915caf0bc71900a53130","55f491b2be9c2b2100f0635d","560b22739c7be70d00100bd8","57488c53e8c6a420000b729c","574cefd95953e20e00f40f9f","5798edfd7700d30e00ad250c","579ac88234b5fd0e00b9e140","57c81c6d690c200e0047b72e","57d9b8fbda17c30e003897f1","57d9b90e608ea00e00f358d8","57d9b91cda17c30e003897f4"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"category":{"_id":"55f491b2be9c2b2100f0635d","version":"55db8f901a91690d007ad978","__v":2,"pages":["55f4920210a10c1700af1cce","560b438e3bcbd80d0077d0e9"],"project":"55db8f8f1a91690d007ad975","sync":{"url":"","isSync":false},"reference":false,"createdAt":"2015-09-12T20:57:22.715Z","from_sync":false,"order":9,"slug":"release-notes","title":"Release Notes"},"parentDoc":null,"updates":["571f6e2bd8e3cf1900762b64"],"next":{"pages":[],"description":""},"createdAt":"2015-09-12T20:58:42.758Z","link_external":false,"link_url":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":0,"body":"## VERSION 2.0.4\nReleased February 23rd:\n* Fixes:\n - Do not run AR hook code if there is no current agent request.\n\n## VERSION 2.0.3\nReleased February 2nd:\n* Fixes:\n - Fix multi-line string interpolations being treated as comments\n\n## VERSION 2.0.2\nReleased January 17th 2018\n* Fixes:\n - Fix Slim hook to support inserted \"do\"\n\n## VERSION 2.0.1 [LIMITED AVAILABILITY]\nReleased October 27th 2017\n* New Features:\n - Advanced SQLi security features\n - Support for Slim templates for XSS\n\n## VERSION 1.2.1\nReleased August 17th 2017\n* Enhancements:\n     - Support for Rails 5\n\n## VERSION 1.1.18\nReleased June 19th 2017\n* Fixes\n     -  removes the internal check of Erubis gem when the XSS plugin is disabled. The Erubis gem was removed from the Rails packaging in Rails 5.1.0-RC1.  It was causing the Ruby agent to generate an error when loading. Note that the change doesn't enable the support for Rails 5.x with the Ruby Agent but rather enable disabling the plugins that are not yet supported with Rails 5. \n\n## VERSION 1.1.16\nReleased May 30th 2017\n* Fixes\n     -  fixed instrumentation of ORM generating suspicious payload alert with certain params, under rare conditions\n\n* Improvements\n      - enhancements to code protection algorithms\n      - enhancements to http header protection algorithm\n\n## VERSION 1.1.15\nReleased May 24th, 2017\n* Fixes\n     -  msgpack version to support ruby 2.4 with rails 4.2\n     -  fixed instrumentation of haml template\n\n* Improvements\n      - added support for instrumentation with squeel\n      - enhancements to code protection algorithms\n      - enhancements to http header protection algorithm\n      - support for captcha mitigation for single page applications\n\n## VERSION 1.1.13\nReleased March 20, 2017\n* Fixes\n     - Fixed issue caused by ActionController::Metal#dispatch when running with Rails 5\n\n## VERSION 1.1.11\nReleased March 2, 2017\n* Improvements\n     - Moved hook for framework_route to Metal plugin\n\n## VERSION 1.1.10\nReleased February 2, 2017\n* Improvements\n     - Added channel reset feature for pre-forked environments\n\n## VERSION 1.1.7\nReleased January 16, 2017\n* Improvements\n     - Added hooks for agent instrumented view\n\n## VERSION 1.1.6\nReleased January 11, 2017\n* Improvements\n     - Agent LUA update\n     - changes to make code protection plugins disabled by default:\n          new parameter - code_protection_plugins_enabled \n\n## VERSION 1.1.5\n* Improvements\n     - Agent LUA update\n     - Include the file/code/context in xss learned patterns\n     - Add the stack to learned sql structures\n     - Add stack to mongodb learned data\n     - Add stack to verb tampering\n\n## VERSION 1.1.2\n* Fixes\n     - Instrumentation report includes:\n          - Disabled state\n* Enhancements\n     - Added HTTP header information for mitigated and agent threat\n     - Performance improvement, use fast SHA1 implementation\n\n## VERSION 1.1.1\n* Fixes\n     - Fix sqli degraded `get_wl_mode` check\n     - Fix var leak in validations union function\n     - Add missing connection_uuid to SQL display_meta schema\n     - Fix for blacklist bug\n* New Features\n     - Generate agent report for hooks that successfully put in place\n     - Updated Lua version support\n     - Add the required global to sha1\n     - Support for Mongodb SQL\n     - Add a expected_command to shell_io display_meta\n     - Disable missing-CSRF reporting by default.\n     - Add HTTPoxy detection as Suspicious HTTP Header.\n     - Allow relative redirects\n     - Add more basic URL query parsing\n     - Add context based whitelisting to XSS patterns\n     - Handle context based sqli degraded mode\n     - Add RCE context-based whitelisting\n     - Restore fencing\n     - Returning maps from systemTests and agentTimings\n     - File IO read blacklist\n     - Make verb tamper always allow GET and POST\n     - Tracking cookie includes fingerprint of IP and user agent \n\n## VERSION 1.1.0\nReleased August 10th, 2016\n* Fixes\n * Resolve issue when settings are empty or template rendering is disabled.\n\n## VERSION 1.0.22\nReleased July 6th, 2016\n* Improvements\n * Reduction in memory usage by the agent\n\n## VERSION 1.0.19\nReleased May 18th, 2016\n* Fixes\n * Fix an issue where internal code was added to the load path\n\n## VERSION 1.0.18\nReleased May 17th, 2016\n* Fixes\n * Fix an issue when the Warden object is missing\n\n## VERSION 1.0.17\nReleased May 5th, 2016\n* Fixes\n * Fix an incompatibility issue with WebConsole\n\n## Version 1.0.14\nReleased March 24th, 2016\n* Fixes\n * Fix an issue where XSS tokens would be left in rendered output\n * Corrected defect in remote command execution detection\n* Improvements\n * XSS performance optimization\n\n## Version 1.0.13\nReleased February 17th, 2016\n* Fixes\n * Resolve a SQL Injection false positive due to an internal limitation that has been removed\n\n## Version 1.0.12\nReleased February 16th, 2016\n* Fixes\n * Resolve a Cross-Site Scripting false positive around SGML comments\n\n## Version 1.0.11\nReleased February 2nd, 2016\n* Fixes\n * Resolve an exception raised when a template is rendered to a `nil` value\n* Improvements\n * Recognition of more vulnerability scanners\n\n## Version 1.0.10\nReleased January 22nd, 2016\n* Fixes\n * Fix an issue with rendering text partials with a `.txt.erb` or `.txt.haml` extension\n * Fix an issue causing the app to error when a session ID is `nil`\n* Improvements\n * Reduction in memory usage by the agent\n * Improved performance by disabling the beta Eval feature in the agent\n\n## Version 1.0.9\nReleased January 11th, 2016\n* Fixes\n * Fix an issue that caused us to incorrectly generate certain keys when applications restart\n\n## Version 1.0.8\nReleased December 23rd, 2015\n* Fixes\n * Fix an issue with Warden instrumentation that caused exceptions if Immunio was required before Warden was configured\n * Fix two exceptions in the XSS plugin that occur when a template's contents are not a string\n * Happy holidays!\n\n## Version 1.0.7\nReleased December 14th, 2015\n* Fixes\n * Reduce overhead of the agent's XSS and File IO plugins\n\n## Version 1.0.6\nReleased December 1st, 2015\n* Fixes\n * Resolved several Cross-Site Scripting false positives\n\n## Version 1.0.5\nReleased November 10th, 2015\n* Fixes\n * Resolved File IO false positives due to file extension casing\n * Resolved several Cross-Site Scripting false positives\n* Improvements\n * Reduced overhead of the agent's internal logger\n\n## Version 1.0.4\nReleased October 27th, 2015\n* Improvements\n * Cross-Site Scripting now reports the controller route used for a vulnerability occurrence\n * The agent now reports how each attack request was mitigated\n\n## Version 1.0.3\nReleased October 22nd, 2015\n* Fixes\n * Resolved Cross-Site Scripting false positives due to improper render template tracking\n * Resolved Cross-Site Scripting false positives when using some legacy pre-CSS HTML style attributes\n* Improvements\n * Cross-Site Scripting analysis performance improvements, especially for renderings with many partials\n\n## Version 1.0.2\nReleased October 16th, 2015\n* Improvements\n * Cross-Site Scripting protection now analyzes CSS style tags and attributes in depth, recognizing more attacks and reducing false positives\n * Cross-Site Scripting analysis performance improvements, especially for renderings with many interpolations\n\n## Version 1.0.1\nReleased October 2nd, 2015\n* Fixes\n * Resolved slow Cross-Site Scripting analysis on certain pages\n * Resolved build failure on Mac OS X 10.11 (El Capitan)\n* Improvements\n * Reduced Cross-Site Scripting false positives in HTML tag JavaScript event handlers with dynamic content\n * Reduced SQL Injection false positives when scalar query values vary between strings, numbers, and/or variables\n\n## Version 1.0.0\nReleased September 29th, 2015\n* Fixes\n * Resolved incorrect `eval` binding when file and line arguments are provided\n\n## Version 0.16.1\nReleased September 22nd, 2015\n* Fixes\n * Resolved installation issue on OS X\n\n## Version 0.16.0\nReleased September 18th, 2015\n* Improvements\n * Analysis engine upgrade resulting in a 50% reduction in overhead\n* Fixes\n * Resolved a very small, slow memory leak\n * Benign requests from attackers were not always reported, preventing the tree map of attacker requests from showing the number of benign requests versus the number of malicious requests\n\n## Version 0.15.4\nReleased September 4th, 2015\n* Improvements\n * Wrap Cross-Site Scripting vulnerable code in appropriate ERB or HAML HTML escaping tags for extra contextual data\n * Many improvements to Cross-Site Scripting sensor to detect more attacks\n * Open Redirect has clearer attack details\n* Fixes\n * Prevent a Cross-Site Scripting false positive when using the content_for helper and interpolating it without HTML escaping\n * Don't report Warden failures unrelated to login failures as authentication failures\n * Prevent an exception in the agent when handling other exceptions\n * Prevent an exception when the full Rails framework is not present\n * Prevent Cross-Site Scripting false positive when interpolating into a conditional comment\n\n## Version 0.15.3\nReleased August 28th, 2015\n* Fixes\n * Fix an issue where Immunio could raise an exception in Ruby applications not using Rails, but with the Rails constant still defined\n\n## Version 0.15.2\nReleased August 27th, 2015\n* Changes\n * Eval Execution and File Access threats have been disabled by default and are considered \"Beta\" features while we improve them\n * Shell Command Executions will be learned over a period of time by default rather than generate an alert for any executions after the first request\n* Fixes\n * Local variables created inside one view template interpolation could not be referenced from a subsequent interpolation","excerpt":"","slug":"ruby-agent","type":"basic","title":"Ruby Agent"}
## VERSION 2.0.4 Released February 23rd: * Fixes: - Do not run AR hook code if there is no current agent request. ## VERSION 2.0.3 Released February 2nd: * Fixes: - Fix multi-line string interpolations being treated as comments ## VERSION 2.0.2 Released January 17th 2018 * Fixes: - Fix Slim hook to support inserted "do" ## VERSION 2.0.1 [LIMITED AVAILABILITY] Released October 27th 2017 * New Features: - Advanced SQLi security features - Support for Slim templates for XSS ## VERSION 1.2.1 Released August 17th 2017 * Enhancements: - Support for Rails 5 ## VERSION 1.1.18 Released June 19th 2017 * Fixes - removes the internal check of Erubis gem when the XSS plugin is disabled. The Erubis gem was removed from the Rails packaging in Rails 5.1.0-RC1. It was causing the Ruby agent to generate an error when loading. Note that the change doesn't enable the support for Rails 5.x with the Ruby Agent but rather enable disabling the plugins that are not yet supported with Rails 5. ## VERSION 1.1.16 Released May 30th 2017 * Fixes - fixed instrumentation of ORM generating suspicious payload alert with certain params, under rare conditions * Improvements - enhancements to code protection algorithms - enhancements to http header protection algorithm ## VERSION 1.1.15 Released May 24th, 2017 * Fixes - msgpack version to support ruby 2.4 with rails 4.2 - fixed instrumentation of haml template * Improvements - added support for instrumentation with squeel - enhancements to code protection algorithms - enhancements to http header protection algorithm - support for captcha mitigation for single page applications ## VERSION 1.1.13 Released March 20, 2017 * Fixes - Fixed issue caused by ActionController::Metal#dispatch when running with Rails 5 ## VERSION 1.1.11 Released March 2, 2017 * Improvements - Moved hook for framework_route to Metal plugin ## VERSION 1.1.10 Released February 2, 2017 * Improvements - Added channel reset feature for pre-forked environments ## VERSION 1.1.7 Released January 16, 2017 * Improvements - Added hooks for agent instrumented view ## VERSION 1.1.6 Released January 11, 2017 * Improvements - Agent LUA update - changes to make code protection plugins disabled by default: new parameter - code_protection_plugins_enabled ## VERSION 1.1.5 * Improvements - Agent LUA update - Include the file/code/context in xss learned patterns - Add the stack to learned sql structures - Add stack to mongodb learned data - Add stack to verb tampering ## VERSION 1.1.2 * Fixes - Instrumentation report includes: - Disabled state * Enhancements - Added HTTP header information for mitigated and agent threat - Performance improvement, use fast SHA1 implementation ## VERSION 1.1.1 * Fixes - Fix sqli degraded `get_wl_mode` check - Fix var leak in validations union function - Add missing connection_uuid to SQL display_meta schema - Fix for blacklist bug * New Features - Generate agent report for hooks that successfully put in place - Updated Lua version support - Add the required global to sha1 - Support for Mongodb SQL - Add a expected_command to shell_io display_meta - Disable missing-CSRF reporting by default. - Add HTTPoxy detection as Suspicious HTTP Header. - Allow relative redirects - Add more basic URL query parsing - Add context based whitelisting to XSS patterns - Handle context based sqli degraded mode - Add RCE context-based whitelisting - Restore fencing - Returning maps from systemTests and agentTimings - File IO read blacklist - Make verb tamper always allow GET and POST - Tracking cookie includes fingerprint of IP and user agent ## VERSION 1.1.0 Released August 10th, 2016 * Fixes * Resolve issue when settings are empty or template rendering is disabled. ## VERSION 1.0.22 Released July 6th, 2016 * Improvements * Reduction in memory usage by the agent ## VERSION 1.0.19 Released May 18th, 2016 * Fixes * Fix an issue where internal code was added to the load path ## VERSION 1.0.18 Released May 17th, 2016 * Fixes * Fix an issue when the Warden object is missing ## VERSION 1.0.17 Released May 5th, 2016 * Fixes * Fix an incompatibility issue with WebConsole ## Version 1.0.14 Released March 24th, 2016 * Fixes * Fix an issue where XSS tokens would be left in rendered output * Corrected defect in remote command execution detection * Improvements * XSS performance optimization ## Version 1.0.13 Released February 17th, 2016 * Fixes * Resolve a SQL Injection false positive due to an internal limitation that has been removed ## Version 1.0.12 Released February 16th, 2016 * Fixes * Resolve a Cross-Site Scripting false positive around SGML comments ## Version 1.0.11 Released February 2nd, 2016 * Fixes * Resolve an exception raised when a template is rendered to a `nil` value * Improvements * Recognition of more vulnerability scanners ## Version 1.0.10 Released January 22nd, 2016 * Fixes * Fix an issue with rendering text partials with a `.txt.erb` or `.txt.haml` extension * Fix an issue causing the app to error when a session ID is `nil` * Improvements * Reduction in memory usage by the agent * Improved performance by disabling the beta Eval feature in the agent ## Version 1.0.9 Released January 11th, 2016 * Fixes * Fix an issue that caused us to incorrectly generate certain keys when applications restart ## Version 1.0.8 Released December 23rd, 2015 * Fixes * Fix an issue with Warden instrumentation that caused exceptions if Immunio was required before Warden was configured * Fix two exceptions in the XSS plugin that occur when a template's contents are not a string * Happy holidays! ## Version 1.0.7 Released December 14th, 2015 * Fixes * Reduce overhead of the agent's XSS and File IO plugins ## Version 1.0.6 Released December 1st, 2015 * Fixes * Resolved several Cross-Site Scripting false positives ## Version 1.0.5 Released November 10th, 2015 * Fixes * Resolved File IO false positives due to file extension casing * Resolved several Cross-Site Scripting false positives * Improvements * Reduced overhead of the agent's internal logger ## Version 1.0.4 Released October 27th, 2015 * Improvements * Cross-Site Scripting now reports the controller route used for a vulnerability occurrence * The agent now reports how each attack request was mitigated ## Version 1.0.3 Released October 22nd, 2015 * Fixes * Resolved Cross-Site Scripting false positives due to improper render template tracking * Resolved Cross-Site Scripting false positives when using some legacy pre-CSS HTML style attributes * Improvements * Cross-Site Scripting analysis performance improvements, especially for renderings with many partials ## Version 1.0.2 Released October 16th, 2015 * Improvements * Cross-Site Scripting protection now analyzes CSS style tags and attributes in depth, recognizing more attacks and reducing false positives * Cross-Site Scripting analysis performance improvements, especially for renderings with many interpolations ## Version 1.0.1 Released October 2nd, 2015 * Fixes * Resolved slow Cross-Site Scripting analysis on certain pages * Resolved build failure on Mac OS X 10.11 (El Capitan) * Improvements * Reduced Cross-Site Scripting false positives in HTML tag JavaScript event handlers with dynamic content * Reduced SQL Injection false positives when scalar query values vary between strings, numbers, and/or variables ## Version 1.0.0 Released September 29th, 2015 * Fixes * Resolved incorrect `eval` binding when file and line arguments are provided ## Version 0.16.1 Released September 22nd, 2015 * Fixes * Resolved installation issue on OS X ## Version 0.16.0 Released September 18th, 2015 * Improvements * Analysis engine upgrade resulting in a 50% reduction in overhead * Fixes * Resolved a very small, slow memory leak * Benign requests from attackers were not always reported, preventing the tree map of attacker requests from showing the number of benign requests versus the number of malicious requests ## Version 0.15.4 Released September 4th, 2015 * Improvements * Wrap Cross-Site Scripting vulnerable code in appropriate ERB or HAML HTML escaping tags for extra contextual data * Many improvements to Cross-Site Scripting sensor to detect more attacks * Open Redirect has clearer attack details * Fixes * Prevent a Cross-Site Scripting false positive when using the content_for helper and interpolating it without HTML escaping * Don't report Warden failures unrelated to login failures as authentication failures * Prevent an exception in the agent when handling other exceptions * Prevent an exception when the full Rails framework is not present * Prevent Cross-Site Scripting false positive when interpolating into a conditional comment ## Version 0.15.3 Released August 28th, 2015 * Fixes * Fix an issue where Immunio could raise an exception in Ruby applications not using Rails, but with the Rails constant still defined ## Version 0.15.2 Released August 27th, 2015 * Changes * Eval Execution and File Access threats have been disabled by default and are considered "Beta" features while we improve them * Shell Command Executions will be learned over a period of time by default rather than generate an alert for any executions after the first request * Fixes * Local variables created inside one view template interpolation could not be referenced from a subsequent interpolation