Page MenuHomePhabricator
Create Task
Maniphest T227726

Security review of preact 8.4.2
Closed, DeclinedPublic
Actions

Description

The mobile site uses a home grown library that is becoming unmaintainable.

While no decision has yet been made we are interested in using preact given its lightweight size and similarities with React and knowing the security team has approved it is an important part of that decision.

https://preactjs.com/

Given many of its high profile users (https://preactjs.com/about/we-are-using) I assume a security review here will be straightforward but I would love to know if there is anything specific we need to be aware of.

Thanks in advance security team!

Related Objects
Search...

Event Timeline

Jdlrobson created this task.Jul 11 2019, 12:51 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 11 2019, 12:51 AM
Jdlrobson renamed this task from Security review of preact to Security review of preact 8.4.2.Jul 11 2019, 12:52 AM
Jdlrobson added a project: Web-Team-Backlog.
Niedzielski added a parent task: T225577: Audit component library for MobileFrontend's security.Jul 11 2019, 12:54 AM
sbassett triaged this task as Medium priority.Jul 12 2019, 1:43 PM
Jdlrobson claimed this task.Jul 15 2019, 5:33 PM
Jdlrobson moved this task from Incoming to Needs Prioritization on the Web-Team-Backlog board.
Jdlrobson moved this task from Needs Prioritization to Tracking on the Web-Team-Backlog board.Jul 15 2019, 6:02 PM
Jdlrobson edited projects, added Web-Team-Backlog (Tracking); removed Web-Team-Backlog.
Jcross subscribed.Jul 16 2019, 5:24 PM

Hi @Jdlrobson - thank you for the request. Can you tell me when your team is looking to deploy?

Jdlrobson added a comment.Jul 16 2019, 10:19 PM

Hey @Jcross having this information by August 15th or at least having some information by then would be appreciated. Thanks in advance!

sbassett subscribed.EditedJul 29 2019, 7:37 PM

A little follow-up here:

Reported Security Issues

  1. An XSS within an old version of preact and a deser issue within a newer 10.x alpha release. I'm assuming the Readers team would be going with a stable 10.x release of the library, so neither of these should be an issue.
  2. Nothing in NVD.
  3. An old, resolved issue within 10.x alpha/beta < 10.0.0-beta.1 releases.
  4. An old, now-fixed preact-cli tls issue.
  5. I found nothing tagged as security after perusing Preact's open issues. And I'm not seeing anything else that would be obviously concerning from a security perspective, save maybe a handful of performance issues, though that's a bit of a stretch. No current security advisories either.

So the above is obviously a good sign, as far as low-hanging fruit goes. What I'd recommend from here:

  1. Preact is pretty small and designed for performance according to its documentation and marketing materials. I still might recommend reaching out to the Performance-Team to get their opinion on best practices for developing with these kinds of libraries and any implications for deploying to production systems.
  2. Given what Preact does, its largest attack surface would probably consist of injection-based attacks stemming from untrusted input. I'd like to investigate these a bit more and explore any developer best practices around mitigating such attacks and provide those here.
sbassett moved this task from Incoming to In Progress on the deprecated-security-team-reviews board.Jul 30 2019, 5:00 PM
Jdlrobson added a comment.Jul 31 2019, 6:14 PM

Thanks for the recommendations @sbassett. Reaching out to performance was definitely going to be my next step. Thanks for your work so far!

sbassett added a comment.Sep 11 2019, 9:55 PM

Hey @Jdlrobson - I just wanted to check in and see if there had been any updates on your end (re: the current likelihood of using preact) and if you had a chance to chat with the Performance Team about this yet. I still owe you some security best practices around using preact, which I can hopefully provide sometime soon. Thanks.

sbassett changed the task status from Open to Stalled.Sep 17 2019, 5:14 PM
Jdlrobson added a comment.Sep 24 2019, 4:52 PM

Hi @sbassett I think stalled is the correct state here. The Frontend architecture working group appears to be working towards a proposal to " select and integrate an open source industry standard frontend Javascript.": https://www.mediawiki.org/wiki/Frontend_Architecture_Working_Group#Current_exploration

sbassett added a comment.Sep 24 2019, 4:54 PM

@Jdlrobson - Ok, thanks for the update. I'll leave as stalled until we have a better idea of where that consensus is heading.

sbassett moved this task from In Progress to Frozen on the deprecated-security-team-reviews board.Sep 24 2019, 4:54 PM
sbassett lowered the priority of this task from Medium to Low.Sep 24 2019, 6:00 PM
Jcross closed this task as Declined.Nov 20 2019, 5:25 PM

We are waiting decisions from the Frontend working group and declining until the direction being taken is more clear.

chasemp removed a project: deprecated-security-team-reviews.Jan 8 2020, 4:18 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits