v0.12.1

Fixes

• (d81222d) Add missing request parameters when both JSON values and form values were present - only the form values were taken into account.

• (ee22b77) Upgrade the In-App WAF library to v0.7.0:

  • Fix false positives in libinjection SQL heuristics.
  • Fix a false positive in libinjection XSS heuristics.
  • Add support for boolean values.
  • Add support for float values.
  • Fix memory deallocator of scalar values.

• (c203264) Fix data bindings with null values.

Internal Changes

• (c425760) Avoid copying the metadata returned by the In-App WAF.

v0.12.0

New Features

• (#130) In-App WAF protection of the HTTP request body:
  Since the HTTP request handler needs to explicitly read the request body, and ultimately parse it into a Go value, the In-App WAF is now applied to new points in the request lifecycle:

  1. Reading the request body is now monitored until EOF is reached, and the raw body bytes are made available to the In-App WAF rules via a new In-App WAF field Body. Note that such In-App WAF rules can be created on custom In-App WAF rulesets only.

  2. Parsers can be now protected by the In-App WAF once they have parsed a request input into a Go value. The parsed value is made available to the In-App WAF rules via the GET/POST parameters field. Every existing In-App WAF rule using this field therefore applies.
     This new feature is firstly deployed on Gin's ShouldBind() method which is Gin's function to parse HTTP request values. It allows to cover every parser Gin provides such as BindJSON(), BindXML(), etc.

  When blocked, the function returns a non-nil SqreenError value and the caller should immediately return.
  Read more about the blocking behavior of Sqreen for Go at https://docs.sqreen.com/go/integration.

• (#129) Update Sqreen's blocking HTML page with a clearer description of what users getting it should do.

Fix

• (794d6e2) Allow port numbers in the X-Forwarded-For header.

v0.11.0

New Features

• (#119) RASP: add Shell Injection protection support. This protection is currently dynamically applied to os.StartProcess() which is the only entry point of the Go standard library to execute a process. This protection can be configured at https://my.sqreen.com/application/goto/modules/rasp/details/shi.

• (#119) RASP: add Local File Inclusion protection support. This protection is currently dynamically applied to os.Open() which is the only entry point of the Go standard library to open a file for reading. This protection can be configured at https://my.sqreen.com/application/goto/modules/rasp/details/lfi.

• (#120) RASP: add Server-Side Request Forgery protection support. This protection is currently dynamically applied to net/http.(*Client).do() which is the only entry point of the Go standard library to perform an HTTP request. This protection can be configured at https://my.sqreen.com/application/goto/modules/rasp/details/ssrf.

• (#125) RASP: enable SQL Injection protection for every MySQL, Oracle, SQLite and PostgreSQL drivers listed in the Go language wiki page https://github.com/golang/go/wiki/SQLDrivers.

• (#115) RASP: store Sqreen's request protection context into the Goroutine Local Storage (GLS). Therefore, Sqreen can now protect every Go function without requiring the request Go context (eg. both QueryContext() and Query() can be now protected against SQL injections). For now, this protection context is only available in the goroutine handling the request, and sub-goroutines are not protected. Further support will be added very soon to remove this limitation.

• (#121) Add IP denylist support: block every request performed by an IP address of the denylist. Every usage of whitelist and blacklist in the agent was also removed when possible. The IP denylist can be configured at https://my.sqreen.com/application/goto/settings/denylist.

• (#122) Add path passlist support: requests performed on those paths are not monitored nor protected by Sqreen. The Path passlist can be configured at https://my.sqreen.com/application/goto/settings/passlist.

• (#123) Export the error type returned by Sqreen protections when blocking in the new SDK package github.com/sqreen/go-agent/sdk/types in order to avoid retrying blocked function calls (eg. avoid retrying a blocked SQL query). It must be used along with errors.As() to detect such cases. Read more at https://godoc.org/github.com/sqreen/go-agent/sdk/types.

• (#124) Allow to "quickly" remove the agent from a program by only removing it from the source code without disabling the program instrumentation. This is made possible by making the instrumentation fully autonomous to avoid compilation errors.

Fixes

• Gin Middleware: fix the HTTP status code monitoring that was possibly changed by Gin after having been already written.

Internal Changes

• (#126) Cache request value lookups, mainly to accelerate the In-App WAF when lots of rulesets are enabled.

• (#117) Simpler Go vendoring support implementation.

• (#113) Significant JavaScript performance improvements by changing the virtual machine to github.com/dop251/goja.

• (#114) Add Goroutine Local Storage (GLS) support through static instrumentation of the Go runtime.

v0.10.1

Fix

• (#116) Fix the instrumentation tool ignoring vendored packages and leading to missing hook points in the agent.

v0.10.0

New Features

• (#109) Make the PII sanitizer configurable with two new configuration entries
  allowing to control the regular expressions used to sanitize everything sent
  to Sqreen. The agent doesn't start in case of an invalid regular expression.
  Read more on how it works on this page.

• (#110) The net/http middleware now includes URL segments in the request
  parameters to increase the coverage we have on frameworks compatible with it,
  such as gorilla or beego.

Internal Changes

• (#107) Backend API: integrate the security signal HTTP API.

Fixes

• (#108) Update the token validation to correctly handle the new token format.

• (#111) Fix the JSON serialization function of HTTP headers monitored by the
  agent that could fail depending on the header values. Note that the JSON
  serialization of the parent data structure safely catches any JSON injection
  attempt.

Documentation

• Add quick start examples for common build and deployment environments such as
  docker images, heroku and google app engine.

• Document Heroku installation at https://docs.sqreen.com/go/installation/heroku.

• Document Google App Engine installation at https://docs.sqreen.com/go/installation/google-app-engine.

• Document Docker image installation at https://docs.sqreen.com/go/installation/docker.

• Document PII scrubbing configuration at https://docs.sqreen.com/go/configuration/#personally-identifiable-information-scrubbing.

v0.9.3

Fixes:

• In-App WAF: update the library to latest v0.6.1 which fixes issues of WAF rules with multiple parameters: when one of them was missing, the rule didn't execute as expected (logical or instead of the logical and).

• Agent-version reporting issue leading to a false message about the agent version on the dashboard.

v0.9.1

Fixes

• (#99) Fix mistakenly enforced HTTP status code 200 when Sqreen's middleware
  function is not the first in the request handling chain. This issue appeared
  when not adding Sqreen's middleware function as the root HTTP middleware.

• (#100) Fix the monitoring of HTTP response codes mistakenly considered 200
  when set by the request handlers.

• (#101) Prevent starting the agent when the instrumentation tool and agent
  versions are not the same.

Documentation

• Add the wonderful Sqreen Gopher to the readme 🎉

v0.9.0

This new major version says farewell to the beta and adds SQL-injection run time protection thanks to the first building blocks of RASP for the Go language! Thank you to everyone who helped us in this wonderful and amazing journey ;-)

The Go agent has been protecting production servers for more than a year now and we reached the point where we are confident enough about its deployment, setup, but also its internals and specific integrations with the Go language and runtime.

We are getting closer to the fully-featured agent v1.0 as we will now be able to fully add support for every RASP protection.

Breaking Changes

Because we now want a stable public API, find below the breaking changes:

• The former separate agent package github.com/sqreen/go-agent/agent that was asked to import in order to start the agent is no longer required nor available. This is now performed by the middleware functions we provide in order to avoid the most common setup mistake during the beta where only the agent was setup and no middleware function was set to protect the requests (and therefore nothing was happening).

• SDK: the user identification SDK method Identify() has been updated to be simpler to use and less error-prone by now making it return a non-nil error when the request handler shouldn't continue any further serving the request. It happens when a user security response has matched the identified user. This replaces the former separate SDK method MatchSecurityResponse().
  New usage example:

  sqUser := sq.ForUser(sdk.EventUserIdentifiersMap{"uid": "unique user id"})
  if err := sqUser.Identify(); err != nil {
    return
  }

• The agent no longer starts if the program wasn't instrumented by using the instrumentation tool. See docs.sqreen.com/go/installation for details on how to install and use the tool. Note that the program is not aborted - only the agent is disabled.

• Dropping gRPC support: the beta support for gRPC was experimental and was in the end too limited by Sqreen's focus on the HTTP protocol. Most of our protections are indeed designed for HTTP and couldn't be applied at the gRPC protocol level. We are therefore removing it until we can provide a correct experience for such HTTP-based protocol.
  Please contact us if you need any further information or if you are interested in helping us building it (support@sqreen.com).

New Features

• SQL-injection RASP protection: when enabled on Sqreen's dashboard, the database/sql Go package gets automatically protected against SQL injections. SQL queries go through our SQL-injection detection which will abort the SQL function call and corresponding HTTP request when an attack is detected. Note that special care was taken to properly integrate with Go error-handling principles: when a SQL query gets blocked, the HTTP request context is canceled and a non-nil error is returned by the database/sql function call in order to fall into the existing error-handling flow. For example:

  // The following query can be injected. An error is returned when the SQL query was blocked.
  rows, err := db.QueryContext(ctx, "select id, name from users where id=" + unsafe)
  if err != nil {
    return err
  }

  Read more about Go integration details at http://docs.sqreen.com/go/integration.

• Dashboard diagnostic messages: major setup issues are now also reported through Sqreen's dashboard page of running hosts to get notified about some downgraded states of the agent, such as:

  • The Go program is not instrumented so the agent didn't start.
  • The In-App WAF wasn't compiled (eg. CGO disabled) so it is unavailable and
    disabled.
  • The program dependencies couldn't be retrieved because the program was not
    compiled as a Go module. This is also shown by the dashboard when the list
    of dependencies is empty.

v0.1.0-beta.10

The tag v0.1.0-rc.1 is also provided as a workaround for dependency management tools having issues to correctly handle tags beyond 9.

Breaking Change

• (#89) Go instrumentation: Sqreen's dynamic configuration of the protection of your Go programs is made possible at run time thanks to Go instrumentation. It is a building block of the upcoming run time self-protection (aka RASP) and it is safely performed at compilation time by an instrumentation tool that seamlessly integrates with the Go toolchain. To begin, only a specific set of Go packages are instrumented: the agent and database/sql (to prepare the upcoming SQL injection protection).

  Please, find out how to install and use the tool on the new agent installation documentation available at https://docs.sqreen.com/go/installation/.

New Features

• (#90) The SDK now imports the agent package to no longer have to import it in the main package. The SDK is indeed mandatory when setting up Sqreen for Go, making it the best place to import the agent.

• (#91) The program dependencies are now sent to Sqreen to perform dependency analysis (outdated, vulnerable, etc.). They are only available when the Go program you compile is a Go module. Sqreen's dashboard Dependency page will be made available soon.

Fix

• (#92) Vendoring using go mod vendor could lead to compilation errors due to missing files.

v0.1.0-beta.9

New Features

• Request parameters such as query or post parameters are now added in the attack
  events and shown in the attack logs and in the event explorer pages of our dashboard. (#84)

• PII scrubbing is now performed on every event sent to Sqreen, as documented
  on https://docs.sqreen.com/guides/how-sqreen-works/#pii-scrubbing. (#86)

Fixes

• Add PII scrubbing to the WAF logs that may include data from the request. (#87)

Internal Changes

• The In-App WAF has been intensively optimized so that large requests can no longer impact
  its execution time. (#83)