Skip to content

Releases: baidu/openrasp

Release 1.2.1

29 Oct 07:04
Compare
Choose a tag to compare

中文说明
国内下载

New features

General changes

  • User can customize RASP ID by adding --rasp-id (PHP) / -rasp-id (JAVA) parameter during installation

Management panel

  • Multiple UI enhancements

Java agent

  • Add partial support of TongWeb application server
  • Simplified installation procedure of JBoss 7 and above
  • Add HSQL hooks
  • Add CPU limit support

Plugin system

  • Add environment information to command execution callbacks
  • Fixed a potential false positive in command_reflect algorithm

Bug fixes

General fix

  • Add agent re-registration support to prevent accidental removal of existing agent

Java Agent

  • Multiple bug fixes

PHP Agent

  • Multiple bug fxies

Release 1.2.0

05 Sep 12:27
Compare
Choose a tag to compare

中文说明
国内下载

Breaking changes

  • Removed enforce_policy from config options
  • Removed monitoring of MySQL duplicated key error

New features

General changes

  • Automatically synchronize server hostnames
  • Add detection of containers, stored in host_type field

Plugin system

  • Add requestEnd checkpoint
  • Add RASP.request method
  • Add RASP.agent_version field
  • Add context.requestId and many other fields
  • Add dest_path/dest_realpath field to fileUpload checkpoint (PHP only)
  • Add monitoring of loadLibrary events

PHP agent

  • Add eval/assert hooks

Java agent

  • Improved XSS detection algorithm on Tomcat servers
  • Add validation of requestEnd/request.getParameterMap hooks

RASP Installer

  • Add support of Tomcat installed via yum
  • Add partial support of SpringBoot servers

Bug fixes

Java agent

  • Added support of JRockit JDK (32/64)
  • Fixed a compatibility issue with org.elasticsearch.client.RestClient
  • Fixed a XXE compatibility issue with taglib
  • Removed V8 library execstack warning

v1.1.2

15 Jul 07:21
Compare
Choose a tag to compare

中文说明
国内下载

General changes

Administration panel

  • Add API to export agent list
  • Multiple UI enhancements

Java agent

  • Add connection timeout in syslog related operations
  • Fixed a recursive ProcessBuilder call when hostname is not associated in /etc/hosts

Version 1.1.1

17 Jun 10:06
Compare
Choose a tag to compare

中文说明
国内下载

General changes

Administration panel

  • Enable gzip compression
  • Multiple user-experience enhancement

Java agent

  • Synchronize all V8 exception logs to rasp.log

Version 1.1

06 Jun 03:02
Compare
Choose a tag to compare

中文说明
国内下载

Breaking changes

General changes

  • Upgrade Google V8 to v7.2
  • Reduced memory usage by replacing ANTLR4 with Flex

PHP agent

  • Removed pcre dependency
  • Replaced libstdc++ with libc++
  • Add Thread-Safety edition in binary releases

Java agent

  • Replace Mozilla Rhino with OpenRASP-v8 component
  • Removed native implementation of SQLi/SSRF detection algorithm
  • Temporarily disabled support of JRockit JDK.
    • WebLogic 10.3.6 still works with Oracle JDK, aka export JAVA_VENDOR=Sun

JavaScript plugin system

  • Removed console coloring support

New features

General changes

  • Add monitoring of MySQL authentication failure
  • Add detection of weak password for database connections

Java agent

  • Add a new algorithm xxe_disable_entity

Version 1.0

12 Apr 05:13
Compare
Choose a tag to compare

中文说明
国内下载

Breaking changes

General changes

  • Add header field in alarm logs, existing duplicated fields are removed
  • Configuration file format changed from toml to yaml
  • Only add Location header when HTTP response code is set to 302

Management panel

  • Configuration item AgentServerURL and PanelServerURL moved to management panel

PHP agent

  • Disabled fswatch in binary releases. Recompile with --enable-fswatch to enable it.
  • Replaced rapidjson library with nlohmann/json
  • Disable security baseline in cli mode

Java agent

  • Removed rasp-log4j.xml from startup command-line arguments

New features

General changes

  • Add support of JSON parameter to security plugins
  • Add support of application hardening, e.g Click jacking, reflected XSS
  • Add support of code decompilation

PHP agent

  • Add support of PHP 7.3

Java agent

  • Add support of SpringBoot (Undertow) server
  • Add support of WebLogic application server
  • Add support of JBoss application server (6.X - 8.X)
  • Add support of JDK 11
  • Collect OS environment information
  • Add experimental support of ATTACH method, only installation and uninstallation is supported

Management panel

  • Multiple UX enhancement

Algorithm improvements

Security baseline

  • Detect empty password in Tomcat management panel

SQLi

  • Detect SQL exception in applications, e.g syntax error

SSRF

  • Add target port information

File Upload

  • Add multipart parameter name information

WebShell

  • Block LD_PRELOAD based webshell

Deserialization

  • Block JNDI based reflected command execution

Version 1.0.0 RC1

03 Jan 13:25
Compare
Choose a tag to compare

中文说明

New features

Java agent

  • Add hooks of okhttp/okhttp3 library

General improvements

  • Add remote management capability
  • Add tag field in syslog output
  • Added native LRU implementation
    • Effective for sql, ssrf, readFile, writeFile hooks only

Breaking changes

PHP agent

  • Finally removed support of Windows server

Algorithm improvements

Command injection

  • Add a simple Bash/CMD parser to detect command injection attacks
  • Block JBoss EL based command execution attacks

Bug fixes

Java agent

  • Fix a null pointer exception in Dubbo RPC hook

PHP agent

  • Fix a segfault in PHP mysql session handler

Version 0.50

29 Oct 07:20
Compare
Choose a tag to compare

中文说明

New features

Java

  • Add support of WebSphere server (8.5, 9.0)

General changes

  • Add algorithm field in alarm logs, make it easier to identify the algorithm in action

Version 0.42

26 Sep 12:21
Compare
Choose a tag to compare

中文说明

Breaking changes

  • No longer monitor SQL slow queries
  • Dubbo RPC parameter name changed from openrasp-dubbo-X to dubbo-X

New features

  • Add request_method field in alarm logs

Bug fixes

  • Fixed the No modifications are allowed to a locked ParameterMap error in certain Tomcat versions

Algorithm improvements

Rename

  • Resolved a potential false positive in rename_webshell algorithm

Deserialization

  • Add detection of commons.collections4 payload

Version 0.41

17 Sep 09:20
Compare
Choose a tag to compare

中文说明

Breaking changes

Java Agent

  • Configuration item block.url renamed to block.redirect_url and added template support

PHP agent

  • Configuration item openrasp.block_url renamed to openrasp.block_redirect_url and added template support
  • Ignored PHP timezone settings in all kind of logs
    • Replaced with system time
  • Removed the builtin webshell_include hook

JS API

  • Added token start/stop index to RASP.sql_tokenize method
  • For Java agent, appBasePath now point to application deployment folder, e.g /tomcat/webapps/vulns

New features

Java agent

  • Add more security baseline validation for JBoss
    • Check if authentication for /jmx-console/HTMLAdaptor is enabled
  • When an attack is blocked and the client is expecting output in JSON/XML format, OpenRASP can serve a customized content
    • Template configurable via block.content_xml and block.content_json
  • Added new configuration item plugin.filter
    • Effective for include/rename/readFile hooks only
    • When it's on, OpenRASP won't execute JS plugin when the target file does not exist
    • Enabled by default
  • Added a new field client_ip in alarm logs
    • Represents the real IP address of the client
    • Retrieved from user specified HTTP header, e.g X-Client-IP
    • Configurable via clientip.header

PHP agent

  • User can disable all hooks by adding openrasp.hooks_ignore=all in php.ini
  • Added a new field client_ip in alarm logs, similar to Java agent
    • configurable via openrasp.clientip_header
  • Added a new configuration item openrasp.plugin_filter, similar to Java agent
  • Added two new configuration items openrasp.block_content_json and openrasp.block_content_xml, similar to Java agent

Algorithm improvements

SSRF

  • Block more potentially dangerous protocol, e.g netloc://, jar://

SQLi

  • Re-implemented LRU algorithm with linked list, improves performance

Path traversal

  • Add a new algorithm: check if the filename ends with userinput and contains path traversal signature

XXE

  • Filtered out entity files with .dtd/.xml extension

Rename

  • Filtered out source files with no normal extension

File write

  • writeFile_script algorithm now disabled by default

SQL slow query

  • Now disabled by default

Bug fixes

PHP agent

  • Fixed an ISSUE where array_filter hook does not process the parameter correctly
  • Alarm logs: add hostname in the URL field