Hardening Internal Tools Against XXE
Over the past quarter I have been helping our platform team refactor a configuration service that several delivery pipelines depend on. During that review I spotted an XML External Entity (XXE) injection vector that could have exposed environment variables and IAM credentials to any engineer with access to the internal UI. This post documents how we found the issue, why the existing pipeline tests missed it, and how we closed the gap without blocking deploy velocity. ...