Links

4 April 2022, v2.3.0-rc1

v2.3.0

This is the first release candidate for v2.3.0 which features the GraphQL API for testing and feedback.

Added

  • User profiles now have a role field for managing permissions in the upcoming GraphQL API
  • Added components for upcoming GraphQL API that are only available with local.yml for testing in development environments
    • New Docker container for Hasura GraphQL engine
    • Work-in-progress Hasura metadata for the GraphQL API
    • New HASURA_ACTION_SECRET environment variable in env templates
    • New utilities for generating and managing JSON Web Tokens for the GraphQL API
  • Added support for block quotes in report templates and WYSIWYG editor
  • Added ProjectInvite and ClientInvite models to support upcoming role-based access controls
  • Added a menu option to export a project scope to a text file from the project dashboard
    • Exports only the scope list for easy use with other tools–e.g., Nmap

Changed

  • Disabled L10N by default in favor of using DATE_FORMAT for managing the server's preferred date format (closes #193)
  • Updated env templates with a DATE_FORMAT configuration for managing your preferred format
    • See updated installation documentation on ghostwriter.wiki
  • User profiles now only show the user's role, groups, and Ghostwriter user status to the profile owner
  • Updated nginx.conf to align it with Mozilla's recommendations for nginx v1.21.1 and OpenSSL 1.1.1l
  • Toast messages for errors are no longer sticky so they do not have to be manually dismissed when covering UI elements
  • Domain list table now shows an "Expiry" column and "Categories" column now parses the new categorization JSON field data
  • Domain list filtering now includes a "Filter Expired" toggle that is on by default
    • Filters out domains with expiration dates in the past and auto_renew set to False even if the status is set to "Available"
  • The table on the domain list page and the menu on the domain details page will no longer disable the check out option if a domain's status is set to "Burned"
  • Simplified usage of the format_datetime filter
    • Filter now accepts only two arguments: the date and the new format string
    • The format string should use Django values (e.g., M d, Y) instead of values translated to Python's standard (e.g., %b %d, %Y)
  • Simplified usage of the add_says filter
    • Filter now accepts only two arguments: the date and an integer

Deprecated

  • v2.2.x usage of the format_datetime and add_days filters is deprecated in v2.3.0
    • Both filters will no longer accept Python-style strftime strings
    • Both filters no longer needs or accepts the current_format and format_str parameters
    • Templates using the old style will fail linting

Removed

  • Removed "WHOIS Privacy" column on domain list page to make room for more pertinent information

Fixed

  • Bumped djangorestframework-api-key to v2.2.0 to fix REST API key creation (closes #197)
  • Overrode Django's get_full_name() method used for the admin site so the user's proper full name is displayed in history logs
  • Fixed project dashboard's "Import Oplog" button not pointing to the correct URL
  • Fixed URL conflicts with export links for domains, servers, and findings

Security

  • Restricted edit and delete actions on notes to close possibility of other users editing or deleting notes they do not own