Skip to content

Version 0.41
Compare
Choose a tag to compare
@CaledoniaProject CaledoniaProject released this 17 Sep 09:20
· 3470 commits to master since this release
v0.41
8a9339d

中文说明

Breaking changes

Java Agent

  • Configuration item block.url renamed to block.redirect_url and added template support

PHP agent

  • Configuration item openrasp.block_url renamed to openrasp.block_redirect_url and added template support
  • Ignored PHP timezone settings in all kind of logs
    • Replaced with system time
  • Removed the builtin webshell_include hook

JS API

  • Added token start/stop index to RASP.sql_tokenize method
  • For Java agent, appBasePath now point to application deployment folder, e.g /tomcat/webapps/vulns

New features

Java agent

  • Add more security baseline validation for JBoss
    • Check if authentication for /jmx-console/HTMLAdaptor is enabled
  • When an attack is blocked and the client is expecting output in JSON/XML format, OpenRASP can serve a customized content
    • Template configurable via block.content_xml and block.content_json
  • Added new configuration item plugin.filter
    • Effective for include/rename/readFile hooks only
    • When it's on, OpenRASP won't execute JS plugin when the target file does not exist
    • Enabled by default
  • Added a new field client_ip in alarm logs
    • Represents the real IP address of the client
    • Retrieved from user specified HTTP header, e.g X-Client-IP
    • Configurable via clientip.header

PHP agent

  • User can disable all hooks by adding openrasp.hooks_ignore=all in php.ini
  • Added a new field client_ip in alarm logs, similar to Java agent
    • configurable via openrasp.clientip_header
  • Added a new configuration item openrasp.plugin_filter, similar to Java agent
  • Added two new configuration items openrasp.block_content_json and openrasp.block_content_xml, similar to Java agent

Algorithm improvements

SSRF

  • Block more potentially dangerous protocol, e.g netloc://, jar://

SQLi

  • Re-implemented LRU algorithm with linked list, improves performance

Path traversal

  • Add a new algorithm: check if the filename ends with userinput and contains path traversal signature

XXE

  • Filtered out entity files with .dtd/.xml extension

Rename

  • Filtered out source files with no normal extension

File write

  • writeFile_script algorithm now disabled by default

SQL slow query

  • Now disabled by default

Bug fixes

PHP agent

  • Fixed an ISSUE where array_filter hook does not process the parameter correctly
  • Alarm logs: add hostname in the URL field
Assets 5
Loading