⚓ T246714 Security review for the minishlink/web-push PHP library

	Subject	Repo	Branch	Lines +/-
	Add minishlink/web-push	mediawiki/vendor	master	+10 K -9

Status	Assigned	Task
Resolved	sbassett	T251190 Security Request For Service - Push Notifications
Resolved	• Mholloway	T262936 Enable app push notifications in production
Resolved	sbassett	T246712 Security Readiness Review for push notifications infrastructure
Declined	Reedy	T246714 Security review for the minishlink/web-push PHP library

• Mholloway created this task.Mar 2 2020, 8:54 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 2 2020, 8:54 PM

• Mholloway mentioned this in T246712: Security Readiness Review for push notifications infrastructure.Mar 2 2020, 8:55 PM

Reedy updated the task description. (Show Details)Mar 2 2020, 11:13 PM

Reedy updated the task description. (Show Details)Mar 2 2020, 11:20 PM

• Mholloway added a parent task: T246712: Security Readiness Review for push notifications infrastructure.Mar 3 2020, 4:36 PM

Reedy moved this task from Incoming to In Progress on the Application Security Reviews board.Mar 3 2020, 6:09 PM

Reedy claimed this task.Mar 3 2020, 6:12 PM

Reedy triaged this task as Low priority.

• Jcross raised the priority of this task from Low to Needs Triage.Mar 3 2020, 6:12 PM

• Jcross triaged this task as Medium priority.

Reedy mentioned this in T246810: Security review for the sly/notification-pusher library.Mar 3 2020, 6:59 PM

LGoto moved this task from Needs triage to Tracking on the Product-Infrastructure-Team-Backlog-Deprecated board.Mar 4 2020, 4:36 PM

• chasemp added a project: secscrum.Mar 10 2020, 8:11 PM

• chasemp moved this task from Incoming to In Progress on the secscrum board.Mar 10 2020, 8:15 PM

Noted as per https://github.com/paragonie/random_compat#version-99999 and https://github.com/paragonie/sodium_compat, both of these libraries are not needed on the version of PHP we're using. The format is for PHP 5.x, the latter is in PHP 7.2.0+ (which we're running in WMF prod)

So like the symonfy polyfills we have, these should be replaced away - https://github.com/wikimedia/mediawiki-vendor/blob/d260535/composer.json#L122-L126

Reedy updated the task description. (Show Details)Mar 15 2020, 5:31 PM

Reedy updated the task description. (Show Details)Mar 15 2020, 5:38 PM

Change 579872 had a related patch set uploaded (by Reedy; owner: Reedy):
[mediawiki/vendor@master] Add minishlink/web-push

https://gerrit.wikimedia.org/r/579872

gerritbot added a project: Patch-For-Review.Mar 15 2020, 5:57 PM

Reedy updated the task description. (Show Details)Mar 15 2020, 6:03 PM

minishlink/web-push depends on a slew of old branches of dependancies... https://github.com/web-push-libs/web-push-php/issues/260 was created in December, no response from the authors so far. The dependancy authors seem much more active. It also results in tests and other files being brought in that aren't needed (https://github.com/web-token/jwt-framework/issues/245 filed to find out if the v1.x/v1.3 branches are actually still supported)

The developers of minishlink/web-push don't seem very active, no real activity for while. All recent PR seem to show tests are broken on it (I've filed https://github.com/web-push-libs/web-push-php/issues/274)

This lack of maintenance/activity is of course somewhat of a concern.

I'm guessing there's not really (m)any other options?

In T246714#5970765, @Reedy wrote:

The developers of minishlink/web-push don't seem very active, no real activity for while. All recent PR seem to show tests are broken on it (I've filed https://github.com/web-push-libs/web-push-php/issues/274)

This lack of maintenance/activity is of course somewhat of a concern.

I'm guessing there's not really (m)any other options?

Still no activity...

I did however get https://github.com/web-token/jwt-framework/pull/246 merged into the v1.3 branches of the webtoken/jwt-* libraries. Still waiting for things to be pushed to the sub repos, and releases tagged (https://github.com/web-token/jwt-framework/pull/246#issuecomment-604970676). This will remove a lot of the "extra" files from the vendor patch as seen in https://gerrit.wikimedia.org/r/#/c/mediawiki/vendor/+/579872/

The web-token/jwt-* librares I'm not so concerned about (bar using an older branch which is unsupported as per https://github.com/web-token/jwt-framework/issues/245#issuecomment-601563271, however, the developer there is at least responsive, if we found some sort of issue - hell, he merged a PR because it would be useful for us and others). There's tasks in minishlink/web-push about upgrading those, but no responses. Which means if any security issues are brought up, I'm not really confident anyone might deal with them, nor get them resolved. That's non withstanding any other Technical-Debt type issues that might occur; logspam on newer PHP etc

Tagging stalled for the moment

Reedy moved this task from In Progress to Waiting on the secscrum board.Apr 6 2020, 2:43 PM

v1.3.10 got tagged, removing ~7500 lines out of ~18300

• Mholloway added a project: Push-Notification-Service.Apr 16 2020, 1:40 PM

• Mholloway moved this task from Backlog to Tracking on the Push-Notification-Service board.

Web push is out of scope for initial launch, so let's close this out for now, possibly to be reopened when the time comes. Thanks @Reedy for your work on this.

Change 579872 abandoned by Reedy:
Add minishlink/web-push

https://gerrit.wikimedia.org/r/579872

sbassett moved this task from Waiting to Our Part Is Done on the secscrum board.May 14 2020, 4:15 PM

Security review for the minishlink/web-push PHP library
Closed, DeclinedPublic
Actions

Description

Details

Related Objects
Search...

Event Timeline

	F31656407: image.png
	Mar 2 2020, 11:20 PM

Security review for the minishlink/web-push PHP libraryClosed, DeclinedPublicActions

Description

Details

Related ObjectsSearch...

Event Timeline

Security review for the minishlink/web-push PHP library
Closed, DeclinedPublic
Actions

Related Objects
Search...