Safeguard
Tag

supply-chain-security

Safeguard articles tagged "supply-chain-security" — guides, analysis, and best practices for software supply chain and application security.

1045 articles

Industry Analysis

SQL Injection Prevention in C++ with SQLite Bind Parameters

How sqlite3_bind_text() stops SQL injection in C++ apps, common mistakes with bind parameters, and how to audit existing SQLite code for injection risk.

Oct 25, 20257 min read
Industry Analysis

Path Traversal Prevention in JavaScript/Node.js with path...

path.normalize() alone will not stop path traversal in Node.js. Real CVEs like node-tar show why resolve-then-compare beats normalize-then-trust.

Oct 25, 20257 min read
Industry Analysis

Path Traversal Prevention in Python with os.path.realpath

os.path.normpath() and abspath() don't stop symlink-based path traversal. Here's how os.path.realpath() closes the gap, with real CVEs and a secure pattern.

Oct 24, 20257 min read
Industry Analysis

Path Traversal Prevention in Go with filepath.Join Valida...

filepath.Join in Go only cleans a path, it doesn't restrict it to a base directory. Here's why that gap produced real CVEs, and how to close it for good.

Oct 24, 20257 min read
Industry Analysis

Path Traversal Prevention in Java with Path.normalize

Path.normalize() cleans up "." and ".." in a Java path — but it doesn't stop path traversal. Here's why the Zip Slip pattern still slips past code review in 2026.

Oct 24, 20257 min read
Industry Analysis

Path Traversal Prevention in Ruby with File.realpath

How File.realpath stops path traversal in Ruby apps, why File.expand_path alone fails, and what real CVEs like Sprockets' CVE-2018-3760 reveal about secure file handling.

Oct 23, 20258 min read
Industry Analysis

Path Traversal Prevention in Rust with fs::canonicalize

fs::canonicalize resolves `..` and symlinks into one absolute path, but it can't fix TOCTOU races, missing files, or Windows prefix quirks on its own. Here's the safe pattern.

Oct 23, 20257 min read
Industry Analysis

XXE Prevention in JavaScript: Disabling libxmljs noent

How the libxmljs noent option silently reopens XML External Entity (XXE) attacks in Node.js apps, and the exact parser settings that shut it down for good.

Oct 22, 20257 min read
Industry Analysis

XXE Prevention in Python with resolve_entities=False

Why lxml's XMLParser resolves external entities by default, how resolve_entities=False actually stops XXE, and where Python teams still leave file-read and SSRF paths open.

Oct 22, 20257 min read
Supply Chain

How to Fix a Vulnerable Transitive Dependency in npm

The CVE is four levels deep in a package you never installed. Four escalating fixes — parent upgrade, npm update, overrides, and forking — with the exact commands.

Oct 21, 20256 min read
Industry Analysis

XXE Prevention in C# by Disabling XmlResolver/DTD Processing

XXE in C# lives at the XmlResolver and DtdProcessing settings. Here's how .NET's defaults evolved since 2014 and exactly how to lock down XmlDocument, XmlTextReader, and XmlReaderSettings.

Oct 21, 20257 min read
Industry Analysis

XXE Prevention in PHP with libxml_disable_entity_loader

libxml_disable_entity_loader() looked like the fix for XXE in PHP, but PHP 8.0 deprecated it. Here's what it did, why it broke, and what to use now.

Oct 21, 20256 min read
supply-chain-security (Page 71) — Safeguard Blog