- Name of project: Parsoid/PHP (PHP Port of Parsoid)
- Project home page: https://www.mediawiki.org/wiki/Parsing/Notes/Moving_Parsoid_Into_Core / https://www.mediawiki.org/wiki/Parsoid
- Name of team which owns the project: Parsing
- Primary contact for the project: @ssastry
- Target date for deployment: Q1 2019/20
- Link to code repository: https://gerrit.wikimedia.org/r/q/project:mediawiki%252Fservices%252Fparsoid
- Is this a brand-new project: No
- Has this project ever been reviewed before: (Phab tasks, etc.): Nothing formally as far as I know. But,we have had incident-specific reviews and any reviewing done in the context of clients that use Parsoid; We also had a long-standing nsp check for Parsoid's node modules which we stayed on top of.
- Has any risk assessment (STRIDE, etc.) been performed: Not that I know of.
- Is there an existing RFC or has this been presented to the community: Not relevant
- Is this project tied to a team quarterly goal: This is tied to the Platform Evolution CDP
Description of the project and how it will be used
I will just point to https://www.mediawiki.org/wiki/Parsoid for now. I can follow up with any additional info as required.
But, specifically, the context for this is that we are porting Parsoid to PHP which will be integrated into core as a composer library and will run in-process on REST API (see T221738 ) requests made to MediaWiki. We want to deploy this in July/August.
Parsoid/JS (currently deployed on the Wikimedia cluster) is not exposed directly to the internet. All requests to it go through RESTBase exposed REST API for wikis (Ex: https://en.wikipedia.org/api/rest_v1/ ). But, with the Parsoid/PHP offering which will be integrated into core, we can similarly deploy to an internal cluster that is not directly accessible on the internet and disable it on the app cluster and elsewhere where the MediaWiki API is exposed to the internet. But, this is all part of the security review - to figure out appropriate boundaries, exposed surfaces, and necessary hardening to prepare this codebase for deployment in a timely manner without compromising security and privacy needs when we go from Parsoid/JS that ran an independent stateless service to Parsoid/PHP that will run while bundled with MediaWiki.
Description of any sensitive data to be collected or exposed
Whatever MediaWiki core uses (PHP 7.2, composer, phan, etc.)
Dependencies and vendor code
Dependencies are listed in the composer.json file of the repository
Working test environment
None provided as of yet.