baidu/openrasp v0.41 on GitHub

Java Agent

Configuration item block.url renamed to block.redirect_url and added template support

PHP agent

Configuration item openrasp.block_url renamed to openrasp.block_redirect_url and added template support
Ignored PHP timezone settings in all kind of logs
- Replaced with system time
Removed the builtin webshell_include hook

JS API

Added token start/stop index to RASP.sql_tokenize method
For Java agent, appBasePath now point to application deployment folder, e.g /tomcat/webapps/vulns

Java agent

Add more security baseline validation for JBoss
- Check if authentication for /jmx-console/HTMLAdaptor is enabled
When an attack is blocked and the client is expecting output in JSON/XML format, OpenRASP can serve a customized content
- Template configurable via block.content_xml and block.content_json
Added new configuration item plugin.filter
- Effective for include/rename/readFile hooks only
- When it's on, OpenRASP won't execute JS plugin when the target file does not exist
- Enabled by default
Added a new field client_ip in alarm logs
- Represents the real IP address of the client
- Retrieved from user specified HTTP header, e.g X-Client-IP
- Configurable via clientip.header

PHP agent

User can disable all hooks by adding openrasp.hooks_ignore=all in php.ini
Added a new field client_ip in alarm logs, similar to Java agent
- configurable via openrasp.clientip_header
Added a new configuration item openrasp.plugin_filter, similar to Java agent
Added two new configuration items openrasp.block_content_json and openrasp.block_content_xml, similar to Java agent

SSRF

SQLi

Path traversal

Add a new algorithm: check if the filename ends with userinput and contains path traversal signature

XXE

Rename

File write

SQL slow query

PHP agent

Fixed an ISSUE where array_filter hook does not process the parameter correctly
Alarm logs: add hostname in the URL field

baidu/openrasp v0.41 Version 0.41 on GitHub