Page MenuHomePhabricator

Security review for the minishlink/web-push PHP library
Closed, DeclinedPublic

Description

The web-push PHP library supports web push notifications. Product Infrastructure prospectively intends to use it in the proposed PushNotifications MW extension, and requests security review for its inclusion in the mediawiki-vendor repo.

https://packagist.org/packages/minishlink/web-push
https://github.com/web-push-libs/web-push-php

Already reviewed/included in MediaWiki-Vendor:

Event Timeline

Mholloway created this task.Mar 2 2020, 8:54 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 2 2020, 8:54 PM
Reedy updated the task description. (Show Details)Mar 2 2020, 11:13 PM
Reedy updated the task description. (Show Details)Mar 2 2020, 11:20 PM
Reedy claimed this task.Mar 3 2020, 6:12 PM
Reedy triaged this task as Low priority.
Jcross raised the priority of this task from Low to Needs Triage.Mar 3 2020, 6:12 PM
Jcross triaged this task as Medium priority.
chasemp moved this task from Incoming to In Progress on the secscrum board.Mar 10 2020, 8:15 PM
Reedy added a comment.Mar 15 2020, 5:31 PM

Noted as per https://github.com/paragonie/random_compat#version-99999 and https://github.com/paragonie/sodium_compat, both of these libraries are not needed on the version of PHP we're using. The format is for PHP 5.x, the latter is in PHP 7.2.0+ (which we're running in WMF prod)

So like the symonfy polyfills we have, these should be replaced away - https://github.com/wikimedia/mediawiki-vendor/blob/d260535/composer.json#L122-L126

Reedy updated the task description. (Show Details)Mar 15 2020, 5:31 PM
Reedy updated the task description. (Show Details)Mar 15 2020, 5:38 PM

Change 579872 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/vendor@master] Add minishlink/web-push

https://gerrit.wikimedia.org/r/579872

Reedy updated the task description. (Show Details)Mar 15 2020, 6:03 PM
Reedy added a comment.Mar 15 2020, 6:50 PM

minishlink/web-push depends on a slew of old branches of dependancies... https://github.com/web-push-libs/web-push-php/issues/260 was created in December, no response from the authors so far. The dependancy authors seem much more active. It also results in tests and other files being brought in that aren't needed (https://github.com/web-token/jwt-framework/issues/245 filed to find out if the v1.x/v1.3 branches are actually still supported)

The developers of minishlink/web-push don't seem very active, no real activity for while. All recent PR seem to show tests are broken on it (I've filed https://github.com/web-push-libs/web-push-php/issues/274)

This lack of maintenance/activity is of course somewhat of a concern.

I'm guessing there's not really (m)any other options?

Reedy changed the task status from Open to Stalled.Apr 6 2020, 2:42 PM

The developers of minishlink/web-push don't seem very active, no real activity for while. All recent PR seem to show tests are broken on it (I've filed https://github.com/web-push-libs/web-push-php/issues/274)

This lack of maintenance/activity is of course somewhat of a concern.

I'm guessing there's not really (m)any other options?

Still no activity...

I did however get https://github.com/web-token/jwt-framework/pull/246 merged into the v1.3 branches of the webtoken/jwt-* libraries. Still waiting for things to be pushed to the sub repos, and releases tagged (https://github.com/web-token/jwt-framework/pull/246#issuecomment-604970676). This will remove a lot of the "extra" files from the vendor patch as seen in https://gerrit.wikimedia.org/r/#/c/mediawiki/vendor/+/579872/

The web-token/jwt-* librares I'm not so concerned about (bar using an older branch which is unsupported as per https://github.com/web-token/jwt-framework/issues/245#issuecomment-601563271, however, the developer there is at least responsive, if we found some sort of issue - hell, he merged a PR because it would be useful for us and others). There's tasks in minishlink/web-push about upgrading those, but no responses. Which means if any security issues are brought up, I'm not really confident anyone might deal with them, nor get them resolved. That's non withstanding any other Technical-Debt type issues that might occur; logspam on newer PHP etc

Tagging stalled for the moment

Reedy moved this task from In Progress to Waiting on the secscrum board.Apr 6 2020, 2:43 PM
Reedy added a comment.Apr 7 2020, 12:30 PM

v1.3.10 got tagged, removing ~7500 lines out of ~18300

Mholloway closed this task as Declined.May 12 2020, 5:30 PM

Web push is out of scope for initial launch, so let's close this out for now, possibly to be reopened when the time comes. Thanks @Reedy for your work on this.

Change 579872 abandoned by Reedy:
Add minishlink/web-push

https://gerrit.wikimedia.org/r/579872

sbassett moved this task from Waiting to Our Part Is Done on the secscrum board.May 14 2020, 4:15 PM