summaryrefslogtreecommitdiff
path: root/doc/development
diff options
context:
space:
mode:
Diffstat (limited to 'doc/development')
-rw-r--r--doc/development/feature_flags/index.md7
-rw-r--r--doc/development/secure_coding_guidelines.md19
2 files changed, 25 insertions, 1 deletions
diff --git a/doc/development/feature_flags/index.md b/doc/development/feature_flags/index.md
index 87d2da016d6..c2026ab8966 100644
--- a/doc/development/feature_flags/index.md
+++ b/doc/development/feature_flags/index.md
@@ -144,6 +144,13 @@ An `experiment` feature flag should conform to the same standards as a `developm
although the interface has some differences. An experiment feature flag should have a rollout issue,
created using the [Experiment Tracking template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Experiment%20Rollout.md). More information can be found in the [experiment guide](../experiment_guide/index.md).
+### `worker` type
+
+`worker` feature flags are used for controlling Sidekiq workers behavior, such as deferring Sidekiq jobs.
+
+`worker` feature flags likely do not have any YAML definition as the name could be dynamically generated using
+the worker name itself, e.g. `defer_sidekiq_jobs:AuthorizedProjectsWorker`.
+
## Feature flag definition and validation
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/229161) in GitLab 13.3.
diff --git a/doc/development/secure_coding_guidelines.md b/doc/development/secure_coding_guidelines.md
index 7a3dc1c01fc..e8fda066ca3 100644
--- a/doc/development/secure_coding_guidelines.md
+++ b/doc/development/secure_coding_guidelines.md
@@ -344,7 +344,7 @@ Much of the impact is contingent upon the function of the application and the ca
For a demonstration of the impact on GitLab with a realistic attack scenario, see [this video on the GitLab Unfiltered channel](https://www.youtube.com/watch?v=t4PzHNycoKo) (internal, it requires being logged in with the GitLab Unfiltered account).
-### When to consider?
+### When to consider
When user submitted data is included in responses to end users, which is just about anywhere.
@@ -1395,3 +1395,20 @@ Additional resources:
- <https://github.com/EthicalML/fml-security#exploring-the-owasp-top-10-for-ml>
- <https://learn.microsoft.com/en-us/security/engineering/threat-modeling-aiml>
- <https://learn.microsoft.com/en-us/security/engineering/failure-modes-in-machine-learning>
+
+## Local Storage
+
+### Description
+
+Local storage uses a built-in browser storage feature that caches data in read-only UTF-16 key-value pairs. Unlike `sessionStorage`, this mechanism has no built-in expiration mechanism, which can lead to large troves of potentially sensitive information being stored for indefinite periods.
+
+### Impact
+
+Local storage is subject to exfiltration during XSS attacks. These type of attacks highlight the inherent insecurity of storing sensitive information locally.
+
+### Mitigations
+
+If circumstances dictate that local storage is the only option, a couple of precautions should be taken.
+
+- Local storage should only be used for the minimal amount of data possible. Consider alternative storage formats.
+- If you have to store sensitive data using local storage, do so for the minimum time possible, calling `localStorage.removeItem` on the item as soon as we're done with it. Another alternative is to call `localStorage.clear()`.
View Lorry Controller Status