Skip to content

fix(csrf): Fix SCRF vulnerability in OTA examples and libraries #11530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

fix(csrf): Fix SCRF vulnerability in OTA examples and libraries #11530

wants to merge 3 commits into from
+86 −7

Conversation

me-no-dev
Copy link
Member

@me-no-dev me-no-dev commented Jun 30, 2025
edited
Loading

@me-no-dev me-no-dev requested a review from a team as a code owner June 30, 2025 11:26
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jun 30, 2025
edited
Loading

Messages
📖 🎉 Good Job! All checks are passing!

👋 Hello me-no-dev, we appreciate your contribution to this project!

📘 Please review the project's Contributions Guide for key guidelines on code, documentation, testing, and more.
🖊️ Please also make sure you have read and signed the Contributor License Agreement for this project.
Click to see more instructions ...


This automated output is generated by the PR linter DangerJS, which checks if your Pull Request meets the project's requirements and helps you fix potential issues.

DangerJS is triggered with each push event to a Pull Request and modify the contents of this comment.

Please consider the following:
- Danger mainly focuses on the PR structure and formatting and can't understand the meaning behind your code or changes.
- Danger is not a substitute for human code reviews; it's still important to request a code review from your colleagues.
- To manually retry these Danger checks, please navigate to the Actions tab and re-run last Danger workflow.

Review and merge process you can expect ...


We do welcome contributions in the form of bug reports, feature requests and pull requests.

1. An internal issue has been created for the PR, we assign it to the relevant engineer.
2. They review the PR and either approve it or ask you for changes or clarifications.
3. Once the GitHub PR is approved we do the final review, collect approvals from core owners and make sure all the automated tests are passing.
- At this point we may do some adjustments to the proposed change, or extend it by adding tests or documentation.
4. If the change is approved and passes the tests it is merged into the default branch.

Generated by 🚫 dangerJS against 5f74e65

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jun 30, 2025
edited
Loading

Memory usage test (comparing PR against master branch)

The table below shows the summary of memory usage change (decrease - increase) in bytes and percentage for each target.

MemoryFLASH [bytes]FLASH [%]RAM [bytes]RAM [%]
TargetDECINCDECINCDECINCDECINC
ESP32P4000.000.00000.000.00
ESP32S3000.000.00000.000.00
ESP32S2000.000.00000.000.00
ESP32C3000.000.00000.000.00
ESP32C6000.000.00000.000.00
ESP32000.000.00000.000.00
Click to expand the detailed deltas report [usage change in BYTES]
TargetESP32P4ESP32S3ESP32S2ESP32C3ESP32C6ESP32
ExampleFLASHRAMFLASHRAMFLASHRAMFLASHRAMFLASHRAMFLASHRAM
libraries/HTTPUpdateServer/examples/WebUpdater------------
libraries/Update/examples/OTAWebUpdater------------
libraries/WebServer/examples/WebUpdate------------

@me-no-dev me-no-dev requested a review from lucasssvaz June 30, 2025 12:51
@me-no-dev
Copy link
Member Author

me-no-dev commented Jun 30, 2025
edited
Loading

@JLLeitschuh PTAL

@me-no-dev me-no-dev requested a review from Copilot June 30, 2025 12:53
Copilot
Copilot AI reviewed Jun 30, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a CSRF vulnerability by adding authentication and CSRF header checks to OTA update endpoints across various examples.

  • Enforces authentication on update routes
  • Introduces CSRF header collection and validation in multiple files
  • Applies similar security improvements in both WebUpdate and OTA updater code, as well as in the HTTPUpdateServer

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
libraries/WebServer/examples/WebUpdate/WebUpdate.ino Added authentication and CSRF header validation for OTA updates
libraries/Update/examples/OTAWebUpdater/OTAWebUpdater.ino Integrated CSRF checks and authentication in OTA update flow
libraries/HTTPUpdateServer/src/HTTPUpdateServer.h Updated CSRF header collection and verification in the update server
Comments suppressed due to low confidence (3)

libraries/WebServer/examples/WebUpdate/WebUpdate.ino:64

  • Consider adding an inline comment clarifying the CSRF header check logic, explaining the rationale for comparing 'Origin' with 'http://' concatenated with the Host header to improve future maintainability.
          String origin = server.header(String(csrfHeaders[0]));

libraries/Update/examples/OTAWebUpdater/OTAWebUpdater.ino:74

  • Adding an inline comment to document the CSRF validation steps here would help clarify why the origin is compared to 'http://' + host for maintaining secure updates.
    String origin = server.header(String(csrfHeaders[0]));

libraries/HTTPUpdateServer/src/HTTPUpdateServer.h:111

  • Consider sending an explicit HTTP error response (with an appropriate status code) when the CSRF check fails, to clearly communicate the failure to the client.
          String origin = _server->header(String(csrfHeaders[0]));

@me-no-dev me-no-dev changed the title fix(csrf): Fix SCRF vulnerability in WebUpdate.ino fix(csrf): Fix SCRF vulnerability in OTA examples and libraries Jun 30, 2025
@me-no-dev me-no-dev self-assigned this Jun 30, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jun 30, 2025
edited
Loading

Test Results

 76 files   76 suites   13m 8s ⏱️
 38 tests  38 ✅ 0 💤 0 ❌
241 runs  241 ✅ 0 💤 0 ❌

Results for commit 5f74e65.

♻️ This comment has been updated with latest results.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@P-R-O-C-H-Y P-R-O-C-H-Y P-R-O-C-H-Y approved these changes

@lucasssvaz lucasssvaz Awaiting requested review from lucasssvaz

Assignees

@me-no-dev me-no-dev

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@me-no-dev @P-R-O-C-H-Y