software-supply-chain
Safeguard articles tagged "software-supply-chain" — guides, analysis, and best practices for software supply chain and application security.
526 articles
Path Traversal Prevention in C++ with std::filesystem::we...
Why std::filesystem::weakly_canonical alone doesn't stop path traversal in C++, and the containment check every extraction, upload, or plugin loader needs beside it.
XXE Prevention in Ruby with Nokogiri NONET/NOENT
Nokogiri wraps libxml2, and one misconfigured parse call can leak local files or trigger SSRF. Here's how NONET and NOENT actually work, and how to lock them down.
XXE Prevention in C++: Removing libxml2 XML_PARSE_NOENT
How the libxml2 XML_PARSE_NOENT flag enables XXE in C++ codebases, the real CVEs behind it, and the exact code changes needed to remove it safely.
What Is OSV (Open Source Vulnerabilities)?
OSV is an open, ecosystem-native vulnerability database that expresses affected versions in precise, machine-matchable ranges. Here is how it works and why scanners rely on it.
Insecure Deserialization Prevention in JavaScript: Avoidi...
How the node-serialize RCE flaw (CVE-2017-5941) works, why unsafe JS deserialization patterns persist, and concrete steps—plus how Safeguard catches them in CI.
Secure Random Number Generation in Python with the secret...
Python's random module is predictable, not secure. Here's why CWE-338 matters, when the secrets module (PEP 506, Python 3.6) fixed it, and how to generate tokens safely.
Secure Random Number Generation in PHP with random_bytes
PHP's mt_rand() has a 32-bit seed space attackers can crack in seconds. Here's why random_bytes() and random_int() replaced it in PHP 7.0, and how weak randomness still causes breaches.
Secure Random Number Generation in C# with RandomNumberGe...
Why System.Random is a security liability in C# and how RandomNumberGenerator prevents predictable tokens, nonces, and keys in .NET applications.
CVE-2018-16487: Prototype pollution in lodash via merge/m...
CVE-2018-16487 let attackers pollute Object.prototype through lodash's merge, mergeWith, and defaultsDeep — a bypass of an earlier fix, patched in 4.17.11.
CVE-2021-23337: Command injection in lodash template func...
CVE-2021-23337 enables command injection via lodash's template function in versions before 4.17.21. Here's the CVSS context, timeline, and how to remediate it.
CVE-2018-3728: Prototype pollution in hoek
CVE-2018-3728 is a prototype pollution flaw in Hoek's merge functions, exposing hapi.js and Joi-based apps to __proto__ injection. Here's the impact, fix, and remediation path.
CVE-2019-11358: Prototype pollution in jQuery $.extend
CVE-2019-11358 lets attackers pollute Object.prototype via jQuery's $.extend() deep merge. Here's the impact, affected versions, and how to fix it.