supply-chain-security
Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.
1045 articles
SQL Injection Prevention in C++ with SQLite Bind Parameters
How sqlite3_bind_text() stops SQL injection in C++ apps, common mistakes with bind parameters, and how to audit existing SQLite code for injection risk.
Path Traversal Prevention in JavaScript/Node.js with path...
path.normalize() alone will not stop path traversal in Node.js. Real CVEs like node-tar show why resolve-then-compare beats normalize-then-trust.
Path Traversal Prevention in Python with os.path.realpath
os.path.normpath() and abspath() don't stop symlink-based path traversal. Here's how os.path.realpath() closes the gap, with real CVEs and a secure pattern.
Path Traversal Prevention in Go with filepath.Join Valida...
filepath.Join in Go only cleans a path, it doesn't restrict it to a base directory. Here's why that gap produced real CVEs, and how to close it for good.
Path Traversal Prevention in Java with Path.normalize
Path.normalize() cleans up "." and ".." in a Java path — but it doesn't stop path traversal. Here's why the Zip Slip pattern still slips past code review in 2026.
Path Traversal Prevention in Ruby with File.realpath
How File.realpath stops path traversal in Ruby apps, why File.expand_path alone fails, and what real CVEs like Sprockets' CVE-2018-3760 reveal about secure file handling.
Path Traversal Prevention in Rust with fs::canonicalize
fs::canonicalize resolves `..` and symlinks into one absolute path, but it can't fix TOCTOU races, missing files, or Windows prefix quirks on its own. Here's the safe pattern.
XXE Prevention in JavaScript: Disabling libxmljs noent
How the libxmljs noent option silently reopens XML External Entity (XXE) attacks in Node.js apps, and the exact parser settings that shut it down for good.
XXE Prevention in Python with resolve_entities=False
Why lxml's XMLParser resolves external entities by default, how resolve_entities=False actually stops XXE, and where Python teams still leave file-read and SSRF paths open.
How to Fix a Vulnerable Transitive Dependency in npm
The CVE is four levels deep in a package you never installed. Four escalating fixes — parent upgrade, npm update, overrides, and forking — with the exact commands.
XXE Prevention in C# by Disabling XmlResolver/DTD Processing
XXE in C# lives at the XmlResolver and DtdProcessing settings. Here's how .NET's defaults evolved since 2014 and exactly how to lock down XmlDocument, XmlTextReader, and XmlReaderSettings.
XXE Prevention in PHP with libxml_disable_entity_loader
libxml_disable_entity_loader() looked like the fix for XXE in PHP, but PHP 8.0 deprecated it. Here's what it did, why it broke, and what to use now.