Application Security Review Request: webonyx/graphql-php
Closed, ResolvedPublic
Actions

Description

Project Information

Name of tool/project: webonyx/graphql-php
Project home page: https://webonyx.github.io/graphql-php/
Name of team requesting review: WMDE Engineering / Wikibase Reuse Team
Primary contact: Wikibase Reuse Team senior engineers @ItamarWMDE @Silvan_WMDE @Jakob_WMDE
Target date for deployment: 2025-08-31
Link to code repository / patchset: https://github.com/webonyx/graphql-php
Link to scc output for general sizing of codebases (https://github.com/boyter/scc): P79009

Description of the tool/project:
PHP implementation of the GraphQL specification based on the reference implementation in JavaScript.

Description of how the tool will be used at WMF:
The Wikibase Reuse Team is currently exploring GraphQL as an alternative data access method. We believe that GraphQL's flexible data retrieval and the ability to traverse linked structures, such as statement properties and statement entity values, are over all a better developer experience for Wikidata/Wikibase data reusers than the existing REST and Action APIs. We also hope to cover some new use cases for which users currently tend to resort to using the SPARQL query service even though no advanced graph queries are needed.

We want to introduce a GraphQL endpoint for Wikibase (Wikibase Repository extension), initially on a Special:WikibaseGraphQL special page (similar to what the GraphQL extension does) to allow read-only queries of item data. As a first step, we will create a prototype to gather user feedback on Beta Wikidata (T399452), and then start the development of the GraphQL endpoint intended for production use after that.

Dependencies
None

Has this project been reviewed before?
No

Working test environment
N/A

Post-deployment
WMDE Engineering / Wikibase Reuse Team

Details

Risk Rating: Low

Related Changes in Gerrit:

	Subject	Repo	Branch	Lines +/-
	Add webonyx/graphql-php (v15.30.0)	mediawiki/vendor	master	+30 K -8

Customize query in gerrit

Related Objects

Mentioned In: T423216: Update webonyx/graphql-php to 15.31.5
Mentioned Here: T399452: 🧬 Wikibase GraphQL Prototype
P79009 webonyx/graphql-php scc output

Event Timeline

Jakob_WMDE created this task.Jul 14 2025, 12:57 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 14 2025, 12:57 PM

Jakob_WMDE updated the task description. (Show Details)Jul 14 2025, 1:03 PM

Jakob_WMDE updated the task description. (Show Details)Jul 14 2025, 1:21 PM

karapayneWMDE subscribed.Jul 16 2025, 2:35 PM

sbassett moved this task from Incoming to Back Orders on the secscrum board.Jul 24 2025, 9:07 PM

@Jakob_WMDE et al - In chatting with @ATsay-WMF re: timelines, we'll plan to complete this review early next quarter (2025-10-01 to 2025-12-31).

WMDE-leszek subscribed.Aug 31 2025, 6:14 PM

Jdforrester-WMF subscribed.Sep 18 2025, 5:38 PM

sbassett changed the task status from Open to In Progress.Oct 7 2025, 3:58 PM

sbassett assigned this task to Reedy.

sbassett triaged this task as Medium priority.

sbassett moved this task from Back Orders to In Progress on the secscrum board.

Dima_Koushha_WMDE subscribed.Oct 8 2025, 6:40 AM

Jakob_WMDE added a project: Wikibase Reuse Team.Nov 5 2025, 10:30 AM

Hi there, checking in on behalf of the Wikibase Reuse team - is the plan to still have the review done by end of this year?

In T399459#11427691, @Ifrahkhanyaree_WMDE wrote:

Hi there, checking in on behalf of the Wikibase Reuse team - is the plan to still have the review done by end of this year?

It's still slated to be completed by @Reedy by the end of December 2025.

Addshore subscribed.Dec 3 2025, 2:11 PM

Hi there, by when can y'all expect to have this done by? We are planning to release by early Feb and I need some time before to check a few things and a date would help me greatly. Thanks!

Rsilvola reassigned this task from Reedy to mmartorana.Jan 21 2026, 3:58 PM

Rsilvola added a subscriber: Reedy.

Hi @Ifrahkhanyaree_WMDE - apologies on behalf of the Security-Team. We’ve reprioritized this review and expect it to be completed by the end of this week.

The results will be posted on 23rd January.

Thanks for your patience.

thanks so much! quick clarification question - what's the difference between it being completed vs. the results being posted? Would it take another month until we can officially use it on production?

In T399459#11542535, @Ifrahkhanyaree_WMDE wrote:

thanks so much! quick clarification question - what's the difference between it being completed vs. the results being posted? Would it take another month until we can officially use it on production?

My mistake - I meant January not February.

• TAdeleye_WMF subscribed.Jan 22 2026, 3:45 PM

(ref: https://www.mediawiki.org/wiki/Wikimedia_Security_Team/Third_Party_Code_Review_Checklist)

Security Review Summary - T399459 - 2026-01-23

The vendor code under review appears to have solid security fundamentals. The project is actively maintained and its usage patterns appear sound. No vulnerable dependencies or SAST findings were identified.

However, critical protections such as query depth and query complexity limits are disabled by default. We therefore strongly recommend reviewing the project’s security.md to understand and apply the available mitigations for these potential security weaknesses. Additional recommendations are provided below in the section: General Security Considerations.

The overall risk rating is: low.

graphql-php

General Security Information

Statistic/Info	Value	Risk
Repository	github	none
Relevant tag/branch	`master`	none
Last commit reviewed (if relevant)	`e9f08a45`	none
Recent contributions to code (6 months)	85	low
Active developers with > 10 commits	11	low
Current overall usage	4.7k stars, 570 forks	low
Current open security issues	0	none
Methods for reporting security issues	no policy	low

Vulnerable Packages
Risk: low

Numerous tools including osv_scanner, composer and various language-specifc audit tools were run and no vulnerabilities were found.

However pointing it out that these 2 packages are abandoned:

Abandoned Package	Suggested Replacement
doctrine/annotations	none
league/uri-parser	league/uri-interfaces

Outdated Packages
As reported via composer outdated:
(no explicit vulnerabilities reported, simply noting for completeness' sake.)

Package	Current	Wanted	Latest (Remediation)
amphp/amp	2.6.5	3.1.1	3.1.1
amphp/http-server	2.1.8	3.4.3	3.4.3
phpunit/phpunit	10.5.60	12.5.6	12.5.6
psr/http-message	1.1	2.0	2.0

Scorecard score
5.3 / 10 low
(see output)

General Security Considerations ( medium )

Query Depth and Complexity Attacks - Given that queries might explode exponentially, it is recommended to enforce QueryDepth and QueryComplexity with custom field.
Rate Limiting - The library has no built-in rate limiting. It is recommended to integrate with WMF's rate limiting infrastructure.
Entity Traversal Amplification - Since items can have millions of instances, without pagination limits enforced at the schema level, a single query could attempt to return unbounded result sets leading to resource exhaustion.

Static Analysis Findings
Risk: low

No findings via semgrep and similar tools.

sbassett closed this task as Resolved.Jan 28 2026, 5:14 PM

sbassett added a project: SecTeam-Processed.

Change #1194238 had a related patch set uploaded (by Jforrester; author: Reedy):

[mediawiki/vendor@master] DMN: Add webonyx/graphql-php (v15.30.0)

https://gerrit.wikimedia.org/r/1194238

gerritbot added a project: Patch-For-Review.Feb 2 2026, 6:13 AM

Change #1194238 merged by jenkins-bot:

[mediawiki/vendor@master] Add webonyx/graphql-php (v15.30.0)

https://gerrit.wikimedia.org/r/1194238

Maintenance_bot removed a project: Patch-For-Review.Feb 2 2026, 9:31 AM