Added to documentation for XXE according to rules made by ASU capstone team (!184824) · Merge requests · GitLab.org / GitLab

Context

Our Secure Coding Guidelines are so contributors, both team members and in the community, know best practices to prevent vulnerabilities being introduced to GitLab's codebase.

One class of vulnerability is XML External Entities (XXE). Guidance on this topic exists already: https://docs.gitlab.com/development/secure_coding_guidelines/#xml-external-entities

This MR

This MR updates our existing guidance to:

reference new SAST rules introduced in Adding 2 ruby XML Injection - ASU Capstone (gitlab-com/gl-security/product-security/appsec/sast-custom-rules!50 - merged) • Benjamin Jones.
make it clearer that Nokogiri is the preferred XML parsing library
provide further counter examples of vulnerable code

Click to expand original description

What: Updating secure_coding_guidelines documentation with newest policies enforced by new XXE rules written by ASU Capstone team Why: To update developers on new policies

Edited Mar 20, 2025 by Nick Malcolm

Added to documentation for XXE according to rules made by ASU capstone team

Context

This MR

Merge request reports