Page MenuHomePhabricator

Security review for the sly/notification-pusher library
Closed, DeclinedPublic

Description

The notification-pusher PHP library supports push notifications for APNS (iOS) and FCM (Android). Product Infrastructure prospectively intends to use it in the proposed PushNotifications MW extension, and requests security review for its inclusion in the mediawiki-vendor repo.

https://packagist.org/packages/sly/notification-pusher
https://github.com/Ph3nol/NotificationPusher

Event Timeline

Mholloway created this task.Mar 3 2020, 6:58 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 3 2020, 6:58 PM

Yep, that one's for web, this is for apps.

Reedy added a comment.Mar 3 2020, 7:07 PM

It would look like someone needs to do some work upstream to tidy up the install of this. Filed https://github.com/Ph3nol/NotificationPusher/issues/188

However, looking more closely, https://packagist.org/packages/zendframework/zendservice-apple-apns and https://packagist.org/packages/zendframework/zendservice-apple-apns are abandoned

Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 23 installs, 0 updates, 0 removals
  - Installing psr/log (1.1.2): Loading from cache
  - Installing symfony/debug (v4.4.5): Loading from cache
  - Installing symfony/polyfill-ctype (v1.14.0): Loading from cache
  - Installing symfony/filesystem (v4.4.5): Downloading (100%)         
  - Installing doctrine/inflector (1.3.1): Downloading (100%)         
  - Installing zendframework/zend-json (3.1.2): Downloading (100%)         
  - Installing zendframework/zend-stdlib (3.2.1): Downloading (100%)         
  - Installing psr/container (1.0.0): Loading from cache
  - Installing container-interop/container-interop (1.2.0): Downloading (100%)         
  - Installing zendframework/zend-validator (2.13.0): Downloading (100%)         
  - Installing zendframework/zend-escaper (2.6.1): Downloading (100%)         
  - Installing zendframework/zend-uri (2.7.1): Downloading (100%)         
  - Installing zendframework/zend-loader (2.6.1): Downloading (100%)         
  - Installing zendframework/zend-http (2.11.2): Downloading (100%)         
  - Installing zendframework/zendservice-google-gcm (2.1.1): Downloading (100%)         
  - Installing zendframework/zendservice-apple-apns (1.4.1): Downloading (100%)         
  - Installing symfony/process (v4.4.5): Downloading (100%)         
  - Installing symfony/service-contracts (v2.0.1): Loading from cache
  - Installing symfony/polyfill-php73 (v1.14.0): Loading from cache
  - Installing symfony/polyfill-mbstring (v1.14.0): Loading from cache
  - Installing symfony/console (v4.4.5): Loading from cache
  - Installing symfony/options-resolver (v4.4.5): Downloading (100%)         
  - Installing sly/notification-pusher (v2.3.6): Downloading (100%)         
zendframework/zend-json suggests installing zendframework/zend-json-server (For implementing JSON-RPC servers)
zendframework/zend-json suggests installing zendframework/zend-xml2json (For converting XML documents to JSON)
zendframework/zend-validator suggests installing psr/http-message (psr/http-message, required when validating PSR-7 UploadedFileInterface instances via the Upload and UploadFile validators)
zendframework/zend-validator suggests installing zendframework/zend-db (Zend\Db component, required by the (No)RecordExists validator)
zendframework/zend-validator suggests installing zendframework/zend-filter (Zend\Filter component, required by the Digits validator)
zendframework/zend-validator suggests installing zendframework/zend-i18n (Zend\I18n component to allow translation of validation error messages)
zendframework/zend-validator suggests installing zendframework/zend-math (Zend\Math component, required by the Csrf validator)
zendframework/zend-validator suggests installing zendframework/zend-i18n-resources (Translations of validator messages)
zendframework/zend-validator suggests installing zendframework/zend-servicemanager (Zend\ServiceManager component to allow using the ValidatorPluginManager and validator chains)
zendframework/zend-validator suggests installing zendframework/zend-session (Zend\Session component, ^2.8; required by the Csrf validator)
zendframework/zend-http suggests installing paragonie/certainty (For automated management of cacert.pem)
symfony/service-contracts suggests installing symfony/service-implementation
symfony/console suggests installing symfony/event-dispatcher
symfony/console suggests installing symfony/lock
Package zendframework/zend-json is abandoned, you should avoid using it. Use laminas/laminas-json instead.
Package zendframework/zend-stdlib is abandoned, you should avoid using it. Use laminas/laminas-stdlib instead.
Package container-interop/container-interop is abandoned, you should avoid using it. Use psr/container instead.
Package zendframework/zend-validator is abandoned, you should avoid using it. Use laminas/laminas-validator instead.
Package zendframework/zend-escaper is abandoned, you should avoid using it. Use laminas/laminas-escaper instead.
Package zendframework/zend-uri is abandoned, you should avoid using it. Use laminas/laminas-uri instead.
Package zendframework/zend-loader is abandoned, you should avoid using it. Use laminas/laminas-loader instead.
Package zendframework/zend-http is abandoned, you should avoid using it. Use laminas/laminas-http instead.
Package zendframework/zendservice-google-gcm is abandoned, you should avoid using it. No replacement was suggested.
Writing lock file
Generating autoload files

Yikes, thanks. Maybe best not to spend further time reviewing this one, then. We'll look around for a more viable PHP library.

Reedy changed the task status from Open to Stalled.Mar 3 2020, 7:13 PM

Just based on https://github.com/zendframework/ZendService_Apple_Apns and https://github.com/zendframework/ZendService_Google_Gcm alone being abandoned, I suspect expecting functionality to work longer term is going to be not so likely.. Never mind any attempts at getting maintenance, security fixes etc in.

Tagging stalled. I think you might want to have a bit of a think and a look to see if there's something else out there that fits your needs that isn't full of unsupported dependancies...

(Though hmm, FWIW, https://github.com/zendframework/ZendService_Apple_Apns shows more recent activity (March 2019) than a lot of open source push notification projects, despite being marked abandoned.)

Reedy added a comment.Mar 3 2020, 7:19 PM

(Though hmm, FWIW, https://github.com/zendframework/ZendService_Apple_Apns shows more recent activity (March 2019) than a lot of open source push notification projects, despite being marked abandoned.)

The github repos have been marked as readonly, which isn't a good sign. That was in December 2019

No major rush... If we need to proceed with the libraries as is, we can cross that bridge when we come to it, but we would probably need to work out some sort of maintenance plan (possibly forking?) if something happens and we need to make changes for whatever reasons

LGoto triaged this task as Medium priority.Mar 4 2020, 4:34 PM
Reedy claimed this task.Mar 10 2020, 4:57 PM
Reedy moved this task from Incoming to Waiting on the Security Readiness Reviews board.
chasemp moved this task from Incoming to Waiting on the secscrum board.Mar 10 2020, 8:12 PM
Mholloway closed this task as Declined.May 12 2020, 5:28 PM

We won't be using this library.

sbassett moved this task from Waiting to Our Part Is Done on the secscrum board.May 14 2020, 4:15 PM