Comment on page

16 February 2022, v2.2.3


This is the final release of v2.2.3. This release contains everything from the release candidates with the addition of some minor changes. This page contains a complete changelog from v2.2.3-rc1, v2.2.3-rc2, and v2.2.3.

New Features

  • Expanded user profiles for project management and planning
    • Now visible to all users under /users/
    • Include timezone and phone number fields -Users can now edit their profiles to update their preferred name, phone, timezone, and email address


  • Fixed display of minutes for project working hours
  • Fixed "incomplete file" issue when attempting to download a report template
  • Fixed report archiving failing to write zip file
  • Fixed toast messages not showing up when swapping report templates
  • Fixed sidebar tab appearing below delete confirmations
  • Fixed cloud server forms requiring users to fill in all auxiliary IP addresses
  • Fixed project serialization issue that prevented project data from loading automatically for domain and server checkout forms
  • Fixed active project filtering for the list in the sidebar so it will no longer contain some projects marked as completed
  • Fixed a rare reporting error that could occur if the WYSIWYG editor created a block of nested HTML tags with no content
  • Fixed ignore tags not working for Digital Ocean assets
  • Fixed an error caused by cascading deletes when deleting a report under some circumstances
  • Fixed template linter not recognizing phone numbers for project team members as valid (Fixes #190)
  • Fixed a rare reporting issue related to nested lists that could occur if a nested list existed below an otherwise blank list item


  • Updated project list filtering
    • Added client name as a filter field
    • Changed default display filter to only show active projects
    • Adjusted project status filter to have three options: all projects, active projects, and completed projects
  • Updated dashboard and calendar to show past and current events for browsing history within the calendar
    • Past events marked as completed will appear dimed with a strikethrough and : Complete added to the end
  • Upgraded dependencies to their latest versions (where possible)
    • Django v3.1.13 -> v3.2.11
    • Did not upgrade docxtpl
      • Awaiting to see how the developer wants to proceed with issue #114
      • Not upgrading from 0.12 to the latest 0.15.2 has no effect on Ghostwriter at this time
  • Collapsed the Domain model's various categorization fields into a single categorization field with PostgreSQL's JSONField type
    • An important milestone/change for the upcoming GraphQL API
    • Categorization is no longer limited to specific vendors
    • Going forward, the field can be manually updated with valid JSON
    • Ghostwriter will look for JSON formatted as a series of keys and values: {"COMPANY": "CATEGORY", "COMPANY": "CATEGORY",}
  • Converted the ReportTemplate model's lint_result field to a PostgreSQL JSONField
    • An important milestone/change for the upcoming GraphQL API
    • This change increases reliability and performance by removing any need to transform a string representation back into a dict
    • Little to no impact on users but templates may need to be linted again after the upgrade
    • If a template is affected, the status will change to "Unknown" with a single warning note: "Need to re-run linting following your Ghostwriter upgrade"
  • Converted the Domain model's dns_record field to a PostgreSQL JSONField and renamed it to dns for simplicity
    • An important milestone/change for the upcoming GraphQL API
    • This change increases reliability and performance by removing any need to transform a string representation back into a dict
    • This field was always intended to be edited only by the server, so this change should not require any actions before or after upgrading
    • If an existing record's DNS data cannot be converted to JSON it will be cleared and user's can re-run the DNS update task
  • Added a "sticky" sidebar tracker to user sessions so the sidebar will stay open or closed between visits and page changes
  • Removed the legacy health_dns field from the Domain model
    • This field was part of the original Shepherd project and was an interesting experiment in using passive DNS monitoring to try to determine if a domain was "burned"
    • It became mostly irrelevant when services that supported this feature (e.g., eSentire's Cymon) were retired
  • Changed some code that will be deprecated in future versions of Django v4.x and Python Faker
  • Made it possible to sort the report template list
    • Sorting on this table is reversed so clicking "Status" once will sort templates with passing linter checks first
  • Updated the admin panel to make it easier to manage domains for those who prefer the admin panel
  • Projects now sort in reverse so the most recent projects appear first
  • Updated the report selection section of the sidebar to make it easier to switch reports when working on multiple and navigate to your current report
  • The logging API key message now includes the project ID to make it easier to set up a tool like mythic_sync
  • Removed the "Upload Evidence" button from editors where it does not apply (e.g., in the Finding Library outside of a report) (Fixes #185)
  • Updated the Namecheap sync task to use paging so Namecheap libraries with more than 100 domains can be fully synced (Fixes #188)
  • Dashboard once again has a "Project Assignments" card to make it easier to see and click projects
    • The calendar remains on the dashboard and is still clickable, but some people found it less intuitive as a shortcut
  • Some general code clean-up for maintainability

Security Changes

  • Updated Django to v3.2.11 as v3.1 is no longer supported and considered "insecure" going forward
  • Fixed unauthenticated access to domain and server library exports
  • Updated TinyMCE to v5.10.1 to address several moderate security issues with <5.10