Page MenuHomePhabricator

Security review of WebAuthn library dependancies
Open, NormalPublic

Description

For web-auth/webauthn-lib v2.1.5

  • beberlei/assert (v3.2.3)
  • fgrosse/phpasn1 (v2.1.1)
  • nyholm/psr7 (1.2.0)
  • paragonie/random_compat (v9.99.99) (replaced away)
  • php-http/message-factory (v1.0.2)
  • psr/http-client (1.0.0)
  • psr/http-factory (1.0.1)
  • psr/http-message (1.0.1)
  • ramsey/uuid (3.8.0)
  • spomky-labs/base64url (v2.0.1)
  • spomky-labs/cbor-php (v1.0.7)
  • symfony/polyfill-ctype (v1.12.0) (replaced in mediawiki/vendor)
  • web-auth/cose-lib (v2.1.5)
  • web-auth/metadata-service (v2.1.5)
  • web-auth/webauthn-lib (v2.1.5)

Related Objects

Event Timeline

Reedy created this task.Jul 4 2019, 12:18 AM
Reedy updated the task description. (Show Details)Jul 4 2019, 12:23 AM
Reedy updated the task description. (Show Details)
Reedy renamed this task from Security review of WebAuthn dependancies to Security review of WebAuthn library dependancies.Jul 4 2019, 12:28 AM
Reedy changed the task status from Open to Stalled.
sbassett triaged this task as Normal priority.Jul 9 2019, 5:05 PM
sbassett added a subscriber: Bawolff.
sbassett added a subscriber: sbassett.
sbassett assigned this task to Reedy.Jul 9 2019, 6:12 PM
sbassett moved this task from Backlog to In Progress on the Security-Team-Reviews board.
sbassett removed subscribers: Bawolff, Reedy.
Reedy updated the task description. (Show Details)Jul 31 2019, 2:46 PM
Reedy updated the task description. (Show Details)Jul 31 2019, 2:48 PM
Reedy updated the task description. (Show Details)Jul 31 2019, 2:50 PM
Reedy updated the task description. (Show Details)Jul 31 2019, 2:56 PM

Doesn't seem to want to draw me an updated graph :(

Reedy added a comment.Jul 31 2019, 3:24 PM

As an aside, I'm poking the various dependancies to add/update their .gitattributes to reduce the number of files we're bringing in with this

Reedy updated the task description. (Show Details)Aug 7 2019, 3:27 PM
Reedy updated the task description. (Show Details)Aug 7 2019, 3:31 PM
Reedy added a comment.Sat, Aug 31, 7:53 PM
reedy@ubuntu64-web-esxi:/var/www/wiki/mediawiki/extensions/WebAuthn$ composer install --no-dev
Loading composer repositories with package information
Updating dependencies
Package operations: 12 installs, 0 updates, 0 removals
  - Installing symfony/polyfill-ctype (v1.12.0): Loading from cache
  - Installing paragonie/random_compat (v9.99.99): Loading from cache
  - Installing ramsey/uuid (3.8.0): Loading from cache
  - Installing beberlei/assert (v3.2.3): Loading from cache
  - Installing thecodingmachine/safe (v0.1.16): Loading from cache
  - Installing fgrosse/phpasn1 (v2.1.1): Loading from cache
  - Installing web-auth/cose-lib (v2.0.3): Loading from cache
  - Installing spomky-labs/base64url (v2.0.1): Loading from cache
  - Installing spomky-labs/cbor-php (v1.0.7): Loading from cache
  - Installing psr/http-message (1.0.1): Loading from cache
  - Installing psr/http-factory (1.0.1): Loading from cache
  - Installing web-auth/webauthn-lib (v2.0.3): Loading from cache
Writing lock file
Generating autoload files
Reedy updated the task description. (Show Details)Tue, Sep 3, 11:31 AM

Latest

reedy@ubuntu64-web-esxi:/var/www/wiki/mediawiki/extensions/WebAuthn$ composer install --no-dev
Loading composer repositories with package information
Updating dependencies
Package operations: 15 installs, 0 updates, 0 removals
  - Installing psr/http-message (1.0.1): Loading from cache
  - Installing psr/http-factory (1.0.1): Loading from cache
  - Installing psr/http-client (1.0.0): Loading from cache
  - Installing web-auth/metadata-service (v2.1.5): Loading from cache
  - Installing beberlei/assert (v3.2.3): Loading from cache
  - Installing fgrosse/phpasn1 (v2.1.1): Loading from cache
  - Installing web-auth/cose-lib (v2.1.5): Loading from cache
  - Installing spomky-labs/base64url (v2.0.1): Loading from cache
  - Installing spomky-labs/cbor-php (v1.0.7): Loading from cache
  - Installing symfony/polyfill-ctype (v1.12.0): Loading from cache
  - Installing paragonie/random_compat (v9.99.99): Loading from cache
  - Installing ramsey/uuid (3.8.0): Loading from cache
  - Installing php-http/message-factory (v1.0.2): Loading from cache
  - Installing nyholm/psr7 (1.2.0): Loading from cache
  - Installing web-auth/webauthn-lib (v2.1.5): Loading from cache
Writing lock file
Generating autoload files
Reedy updated the task description. (Show Details)Tue, Sep 3, 11:36 AM
Reedy added a comment.Tue, Sep 3, 12:24 PM

paragonie/random_compat shouldn't be needed, we should be able to replace it out (comment to be left in gerrit)

Reedy updated the task description. (Show Details)Tue, Sep 3, 1:35 PM
Reedy changed the task status from Stalled to Open.Wed, Sep 4, 4:51 PM

Not sure why it was marked as stalled for so long... Stuff is definitely going on behind the scenes ;)

Reedy added a comment.Thu, Sep 5, 1:17 PM

Hmm. We already have guzzlehttp/psr7 and this brings in nyholm/psr7 :(