diff options
Diffstat (limited to 'doc/development')
-rw-r--r-- | doc/development/feature_flags/index.md | 7 | ||||
-rw-r--r-- | doc/development/secure_coding_guidelines.md | 19 |
2 files changed, 25 insertions, 1 deletions
diff --git a/doc/development/feature_flags/index.md b/doc/development/feature_flags/index.md index 87d2da016d6..c2026ab8966 100644 --- a/doc/development/feature_flags/index.md +++ b/doc/development/feature_flags/index.md @@ -144,6 +144,13 @@ An `experiment` feature flag should conform to the same standards as a `developm although the interface has some differences. An experiment feature flag should have a rollout issue, created using the [Experiment Tracking template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/.gitlab/issue_templates/Experiment%20Rollout.md). More information can be found in the [experiment guide](../experiment_guide/index.md). +### `worker` type + +`worker` feature flags are used for controlling Sidekiq workers behavior, such as deferring Sidekiq jobs. + +`worker` feature flags likely do not have any YAML definition as the name could be dynamically generated using +the worker name itself, e.g. `defer_sidekiq_jobs:AuthorizedProjectsWorker`. + ## Feature flag definition and validation > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/229161) in GitLab 13.3. diff --git a/doc/development/secure_coding_guidelines.md b/doc/development/secure_coding_guidelines.md index 7a3dc1c01fc..e8fda066ca3 100644 --- a/doc/development/secure_coding_guidelines.md +++ b/doc/development/secure_coding_guidelines.md @@ -344,7 +344,7 @@ Much of the impact is contingent upon the function of the application and the ca For a demonstration of the impact on GitLab with a realistic attack scenario, see [this video on the GitLab Unfiltered channel](https://www.youtube.com/watch?v=t4PzHNycoKo) (internal, it requires being logged in with the GitLab Unfiltered account). -### When to consider? +### When to consider When user submitted data is included in responses to end users, which is just about anywhere. @@ -1395,3 +1395,20 @@ Additional resources: - <https://github.com/EthicalML/fml-security#exploring-the-owasp-top-10-for-ml> - <https://learn.microsoft.com/en-us/security/engineering/threat-modeling-aiml> - <https://learn.microsoft.com/en-us/security/engineering/failure-modes-in-machine-learning> + +## Local Storage + +### Description + +Local storage uses a built-in browser storage feature that caches data in read-only UTF-16 key-value pairs. Unlike `sessionStorage`, this mechanism has no built-in expiration mechanism, which can lead to large troves of potentially sensitive information being stored for indefinite periods. + +### Impact + +Local storage is subject to exfiltration during XSS attacks. These type of attacks highlight the inherent insecurity of storing sensitive information locally. + +### Mitigations + +If circumstances dictate that local storage is the only option, a couple of precautions should be taken. + +- Local storage should only be used for the minimal amount of data possible. Consider alternative storage formats. +- If you have to store sensitive data using local storage, do so for the minimum time possible, calling `localStorage.removeItem` on the item as soon as we're done with it. Another alternative is to call `localStorage.clear()`. |