Page MenuHomePhabricator

Security review of preact 8.4.2
Open, Stalled, NormalPublic

Description

The mobile site uses a home grown library that is becoming unmaintainable.

While no decision has yet been made we are interested in using preact given its lightweight size and similarities with React and knowing the security team has approved it is an important part of that decision.

https://preactjs.com/

Given many of its high profile users (https://preactjs.com/about/we-are-using) I assume a security review here will be straightforward but I would love to know if there is anything specific we need to be aware of.

Thanks in advance security team!

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 11 2019, 12:51 AM
Jdlrobson renamed this task from Security review of preact to Security review of preact 8.4.2.Jul 11 2019, 12:52 AM
Jdlrobson added a project: Readers-Web-Backlog.
sbassett triaged this task as Normal priority.Jul 12 2019, 1:43 PM
Jdlrobson moved this task from Incoming to Needs Prioritization on the Readers-Web-Backlog board.
Jcross added a subscriber: Jcross.Jul 16 2019, 5:24 PM

Hi @Jdlrobson - thank you for the request. Can you tell me when your team is looking to deploy?

Hey @Jcross having this information by August 15th or at least having some information by then would be appreciated. Thanks in advance!

sbassett added a subscriber: sbassett.EditedJul 29 2019, 7:37 PM

A little follow-up here:

Reported Security Issues

  1. An XSS within an old version of preact and a deser issue within a newer 10.x alpha release. I'm assuming the Readers team would be going with a stable 10.x release of the library, so neither of these should be an issue.
  2. Nothing in NVD.
  3. An old, resolved issue within 10.x alpha/beta < 10.0.0-beta.1 releases.
  4. An old, now-fixed preact-cli tls issue.
  5. I found nothing tagged as security after perusing Preact's open issues. And I'm not seeing anything else that would be obviously concerning from a security perspective, save maybe a handful of performance issues, though that's a bit of a stretch. No current security advisories either.

So the above is obviously a good sign, as far as low-hanging fruit goes. What I'd recommend from here:

  1. Preact is pretty small and designed for performance according to its documentation and marketing materials. I still might recommend reaching out to the Performance-Team to get their opinion on best practices for developing with these kinds of libraries and any implications for deploying to production systems.
  2. Given what Preact does, its largest attack surface would probably consist of injection-based attacks stemming from untrusted input. I'd like to investigate these a bit more and explore any developer best practices around mitigating such attacks and provide those here.

Thanks for the recommendations @sbassett. Reaching out to performance was definitely going to be my next step. Thanks for your work so far!

Hey @Jdlrobson - I just wanted to check in and see if there had been any updates on your end (re: the current likelihood of using preact) and if you had a chance to chat with the Performance Team about this yet. I still owe you some security best practices around using preact, which I can hopefully provide sometime soon. Thanks.

sbassett changed the task status from Open to Stalled.Tue, Sep 17, 5:14 PM