Releases: SAP/project-foxhound
Releases · SAP/project-foxhound
v140.0.2
What's Changed
News 📰
- 🎉 Thanks for everyone who attended our Arsenal demo session at Black Hat Europe last year!
- We also announced integration with ZAP with a dedicated Foxhound AddOn. More to come in 2026!
Upstream Versions 🦊
- Great big rebase (#289): GitHub history is now rebased to align with the Firefox repo
- Firefox v140.0.2, specifically: 3613731
- Compatible with patches for Playwright 1.56 (#353): https://github.com/microsoft/playwright/tree/release-1.56
- Requires Rust version 1.86.0 to build
Features 🚀
- :letter: Added a built-in extension to send JSON serialized taint information to an external server (#340, #347, #335) by @tmbrbr
- Adding URL related taint operations (#350) by @tmbrbr
- Propagate taint through StringIterator (#349, #348) by @eleumasc
- ⏱️Only create TaintOperations for tainted strings (#336) by @leeN
- 👇 Binary builds are back!
Bugfixes 🐛
- Fix incorrect taint range assignment on JSON.stringify (#346, #345, #351) by @eleumasc
- Github Actions fixes (#355) by @tmbrbr
- Various regression test fixes (#334) by @tmbrbr
Full Changelog: https://github.com/SAP/project-foxhound/commits/v140.0.2
Contributors
leeN, eleumasc, and tmbrbr
Assets 5
v130.0
What's Changed
News 📰
- 🎉 Excited to announce that Foxhound will appear at Black Hat Europe this year!
- Come to our Arsenal demo session in London on 10th-11th December to find out more!
Upstream Versions 🦊
- Firefox v130.0, specifically: bc78b98
- Compatible with patches for Playwright 1.49: https://github.com/microsoft/playwright/tree/release-1.49
- Requires Rust version 1.79.0 to build
Features 🚀
- Adding end-2-end tainting (#307) whereby Foxhound will taint marked content for incoming HTTP responses.
- Adding more sources and sinks related to the fetch API (#302)
- Multiple test improvements (#297, #298, #325)
- Adding build badges to the README (#317)
Bugfixes 🐛
- Taint propagation for StringBuffer conversion (#291)
- Fixing Debug mode (#314), at least partially
- Multiple fixes (#296, #304, #310, #327)
Due to various issues with the GitHub actions and runners, binaries for this release aren't available directly. Don't worry though, you can still find the latest Linux builds on the TU-BS server.
Full Changelog: v128.0...v130.0
v128.0
What's Changed
Simply the Best!
- 🏆 Foxhound has been rated the best tool for Dynamic Security Analysis of JavaScript by independent researchers! In their study, Foxhound outperformed 17 other tools in all of the categories considered, namely compatibility (95%), transparency (97%), coverage (94%) and performance (1.4x).
- We also broke the 100 GitHub stars ⭐ barrier! Spread the love ❤️!
Upstream Versions 🦊
- Firefox v128.0, specifically: cf0397e
- Playwright 1.48: https://github.com/microsoft/playwright/tree/release-1.48
- Requires Rust version 1.78.0 to build
Features 🚀
- 📦 Upload of build artifacts via GitHub Actions (#263): release binaries now available below! 👇
- Currently supporting Windows and Ubuntu Linux builds
- MacOS builds using the
macos-13(Intel x86) andmacos-latest(M1 ARM) are experimental. Feedback welcome!
- Adding support for the
script.textContentsink (#282) - GC Hazard Analysis and fixes (#280, #278)
Bugfixes 🐛
- Some branding fixes (#283)
- Fix taint loss in
Node.normalize()(#273) - Fail the build script if
zipnot installed (#270)
Full Changelog: v126.0...v128.0
v126.0
What's Changed
Upstream Versions 🦊
- Firefox v126.0, specifically: 4c9a3f8
- Playwright 1.47: https://github.com/microsoft/playwright/tree/release-1.47
- Requires Rust version 1.76 to build
Features 🚀
Bugfixes 🐛
- Some fixes for taint propagation through custom sources (#257, #258)
- Fixing logo related issues (#256)
Full Changelog: v125.0...v126.0
Contributors
leeN
Assets 2
v125.0.1
What's Changed
Upstream Versions 🦊
- Firefox v125.0, specifically: bd7e0ac
- Playwright 1.46: https://github.com/microsoft/playwright/tree/release-1.46
- Requires Rust version 1.76 to build
Features 🚀
- Foxhound has a new logo (#245) which has been added to the documentation and the browser itself. Thanks to the SAP OSPO for the great support here!
- Added bash script for one click builds including playwright merging (#225, #229, #231), thanks @leeN!
- Added GitHub Action to check Playwright patch applicability (#232)
- Pre-built binaries provided by TU Braunschweig (#234)!
- Adding option to dump tainting findings to file (#242, #247)
Bugfixes 🐛
- Fixing String conversion bugfix (#249, fixing #238 and #240), thanks @alexbara2000!
- Update to artifact upload v4 (#227)
- Updating GitHub action versions (#248)
Full Changelog: v123.0...v125.0
Contributors
leeN and alexbara2000
Assets 2
v123.0
What's Changed
Upstream Versions
- Firefox v123.0, specifically: f8704c8
- Playwright 1.44: https://github.com/microsoft/playwright/tree/release-1.44
- Skipping playwright patches for 1.43 as there was no browser patch change since 1.42
- Requires Rust version 1.70 to build
Full Changelog: v121.0...v123.0
v121.0
What's Changed
Upstream Versions
- Firefox v121.0, specifically: a32b866
- Playwright 1.42: https://github.com/microsoft/playwright/tree/release-1.42
Fixes
- #208 Fixed memory leak and crashes due to GC during memory allocation
Full Changelog: v119.0...v121.0
v119.0
What's Changed
Version Updates
Feature Updates
- Fixes as suggested by clang-tidy. by @leeN in #193
- Performance Tweaks by @leeN in #195
- Added Thread Safety Analysis Exceptions by @leeN in #197
- DOM Related Sources and Sinks by @tmbrbr in #198
- Foxhound: Adding JSON path string to JSON parse operations by @tmbrbr in #200
- Tab Crashing Fixes by @tmbrbr in #203
Full Changelog: v118.0.1...v119.0
Contributors
leeN and tmbrbr
Assets 2
v118.0.1
Version Updates
- Updating to Firefox v118.0.1
- Compatible with Playwright 1.40
Feature Updates
- Adding more information to XHR response sources #191
- Fixing issue with nsURLHelper which was losing taint information #188
- Dynamic setting / disabling of sources and sinks via preferences #184
Full Changelog: v115...v118.0.1
v115
Contributors
tmbrbr