Prelude
Application Security Management (ASM) has added Django support for blocking malicious users using one click within Datadog.
Note
One click blocking for ASM is currently in beta.
Deprecation Notes
- dbapi:
ddtrace.ext.mongo.ROWS
is deprecated. Useddtrace.ext.db.ROWCOUNT
instead.
New Features
- starlette: Add http.route tag to
starlette.request
spans. - fastapi: Add http.route tag to
fastapi.request
spans. - ASM: Add support for one click blocking of user ids with the Django framework using Remote Configuration Management.
- ASM: This introduces the "suspicious request blocking" feature for Django and Flask.
Known Issues
- ASM: There is a known issue with the flask support for any rule blocking on
server.request.path_params
. The request will be correctly blocked but the client application will be receiving and processing the suspicious request. Possible workaround: useserver.request.uri.raw
instead, if you want the request to be blocked before entering the flask application.
Bug Fixes
- dbapi: The dbapi integration no longer assumes that a cursor object will have a rowcount as not all database drivers implement rowcount.
- dbm: Support sql queries with the type
byte
. - elasticsearch: Omit large
elasticsearch.body
tag values that are
greater than 25000 characters to prevent traces from being too large to send. - aws_lambda: This fix resolves an issue where existing signals were wrapped multiple times.
- profiling: Handles a race condition on process shutdown that would cause an error about a module not being started to occasionally appear in the logs.
- Fix for KeyError exceptions when when ASM_FEATURES (1-click activation) disabled all ASM products. This could cause 1-click activation to work incorrectly in some cases.
- django: Fixes an issue where
http.route
was only set ifuse_handler_resource_format
anduse_legacy_resource_format
were set toFalse
. - ASM: Resolves installation issues with compiling native code on Windows and unknown platforms.
- dynamic_instrumentation: This change fixes a bug whereby probes that have been disabled/removed from the front-end would not be removed by the client library.
- httplib: Fixes an issue with patching of http client upon import
- Ensure DD_REMOTE_CONFIGURATION_ENABLED environment variable disables remote config if set to False.
- ASM: Solve some corner cases where a Flask blocking request would fail because headers would be already sent.
- ASM: Solve the content-type not always being correct in blocking responses.
- ASM: Ensure the blocking responses have the following tags: http.url, http.query_string, http.useragent, http.method, http.response.headers.content-type and http.response.headers.content-length.
- ASM: fix memory leaks and memory corruption in the interface between ASM and the WAF library
- psycopg2: Fixes a bug with DSN parsing integration.
Other Changes
- remote_config: Change the level of remote config startup logs to debug.