Page MenuHomePhabricator

Security review of preact 8.4.2
Closed, DeclinedPublic


The mobile site uses a home grown library that is becoming unmaintainable.

While no decision has yet been made we are interested in using preact given its lightweight size and similarities with React and knowing the security team has approved it is an important part of that decision.

Given many of its high profile users ( I assume a security review here will be straightforward but I would love to know if there is anything specific we need to be aware of.

Thanks in advance security team!

Event Timeline

Jdlrobson renamed this task from Security review of preact to Security review of preact 8.4.2.Jul 11 2019, 12:52 AM
Jdlrobson added a project: Readers-Web-Backlog.
sbassett triaged this task as Medium priority.Jul 12 2019, 1:43 PM

Hi @Jdlrobson - thank you for the request. Can you tell me when your team is looking to deploy?

Hey @Jcross having this information by August 15th or at least having some information by then would be appreciated. Thanks in advance!

A little follow-up here:

Reported Security Issues

  1. An XSS within an old version of preact and a deser issue within a newer 10.x alpha release. I'm assuming the Readers team would be going with a stable 10.x release of the library, so neither of these should be an issue.
  2. Nothing in NVD.
  3. An old, resolved issue within 10.x alpha/beta < 10.0.0-beta.1 releases.
  4. An old, now-fixed preact-cli tls issue.
  5. I found nothing tagged as security after perusing Preact's open issues. And I'm not seeing anything else that would be obviously concerning from a security perspective, save maybe a handful of performance issues, though that's a bit of a stretch. No current security advisories either.

So the above is obviously a good sign, as far as low-hanging fruit goes. What I'd recommend from here:

  1. Preact is pretty small and designed for performance according to its documentation and marketing materials. I still might recommend reaching out to the Performance-Team to get their opinion on best practices for developing with these kinds of libraries and any implications for deploying to production systems.
  2. Given what Preact does, its largest attack surface would probably consist of injection-based attacks stemming from untrusted input. I'd like to investigate these a bit more and explore any developer best practices around mitigating such attacks and provide those here.

Thanks for the recommendations @sbassett. Reaching out to performance was definitely going to be my next step. Thanks for your work so far!

Hey @Jdlrobson - I just wanted to check in and see if there had been any updates on your end (re: the current likelihood of using preact) and if you had a chance to chat with the Performance Team about this yet. I still owe you some security best practices around using preact, which I can hopefully provide sometime soon. Thanks.

sbassett changed the task status from Open to Stalled.Sep 17 2019, 5:14 PM

Hi @sbassett I think stalled is the correct state here. The Frontend architecture working group appears to be working towards a proposal to " select and integrate an open source industry standard frontend Javascript.":

@Jdlrobson - Ok, thanks for the update. I'll leave as stalled until we have a better idea of where that consensus is heading.

sbassett lowered the priority of this task from Medium to Low.Sep 24 2019, 6:00 PM

We are waiting decisions from the Frontend working group and declining until the direction being taken is more clear.