NotificationsYou must be signed in to change notification settings
Fork7.7k
Star15.1k

fix(csrf): Fix SCRF vulnerability in OTA examples and libraries#11530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Merged

me-no-dev merged 5 commits intomasterfrombugfix/csrf

Jul 2, 2025

Merged

fix(csrf): Fix SCRF vulnerability in OTA examples and libraries#11530

me-no-dev merged 5 commits intomasterfrombugfix/csrf

Jul 2, 2025

Conversation

Copy link

Member

me-no-dev commentedJun 30, 2025•
edited
Loading

Closes:GHSA-9vfw-wx65-c872

fix(csrf): Fix SCRF vulnerability in WebUpdate.ino

450c640

me-no-dev requested a review froma team as acode owner

June 30, 2025 11:26

Copy link

Contributor

github-actionsbot commentedJun 30, 2025•
edited
Loading

	Messages
📖	🎉 Good Job! All checks are passing!

👋Hello me-no-dev, we appreciate your contribution to this project!

📘 Please review the project'sContributions Guide for key guidelines on code, documentation, testing, and more.

🖊️ Please also make sure you haveread and signed theContributor License Agreement for this project.

Click to see more instructions ...

This automated output is generated by thePR linter DangerJS, which checks if your Pull Request meets the project's requirements and helps you fix potential issues.

DangerJS is triggered with eachpush event to a Pull Request and modify the contents of this comment.

Please consider the following:
- Danger mainly focuses on the PR structure and formatting and can't understand the meaning behind your code or changes.
- Danger isnot a substitute for human code reviews; it's still important to request a code review from your colleagues.
- To manuallyretry these Danger checks, please navigate to theActions tab and re-run last Danger workflow.

Review and merge process you can expect ...

We do welcome contributions in the form of bug reports, feature requests and pull requests.

1. An internal issue has been created for the PR, we assign it to the relevant engineer.
2. They review the PR and either approve it or ask you for changes or clarifications.
3. Once the GitHub PR is approved we do the final review, collect approvals from core owners and make sure all the automated tests are passing.
- At this point we may do some adjustments to the proposed change, or extend it by adding tests or documentation.
4. If the change is approved and passes the tests it is merged into the default branch.

Generated by 🚫dangerJS againstc94ffcf

P-R-O-C-H-Y approved these changes

Jun 30, 2025

View reviewed changes

Copy link

Contributor

github-actionsbot commentedJun 30, 2025•
edited
Loading

Memory usage test (comparing PR against master branch)

The table below shows the summary of memory usage change (decrease - increase) in bytes and percentage for each target.

Memory	FLASH [bytes]		FLASH [%]		RAM [bytes]		RAM [%]
Target	DEC	INC	DEC	INC	DEC	INC	DEC	INC
ESP32P4	0	0	0.00	0.00	0	0	0.00	0.00
ESP32S3	0	0	0.00	0.00	0	0	0.00	0.00
ESP32S2	0	0	0.00	0.00	0	0	0.00	0.00
ESP32C3	0	0	0.00	0.00	0	0	0.00	0.00
ESP32C6	0	0	0.00	0.00	0	0	0.00	0.00
ESP32	0	0	0.00	0.00	0	0	0.00	0.00

Click to expand the detailed deltas report [usage change in BYTES]

Target	ESP32P4		ESP32S3		ESP32S2		ESP32C3		ESP32C6		ESP32
Example	FLASH	RAM	FLASH	RAM	FLASH	RAM	FLASH	RAM	FLASH	RAM	FLASH	RAM
libraries/HTTPUpdateServer/examples/WebUpdater	-	-	-	-	-	-	-	-	-	-	-	-
libraries/Update/examples/OTAWebUpdater	-	-	-	-	-	-	-	-	-	-	-	-
libraries/WebServer/examples/WebUpdate	-	-	-	-	-	-	-	-	-	-	-	-

fix(csrf): Prevent CSRF on other OTA examples

a87ee5f

me-no-dev requested a review fromlucasssvaz

June 30, 2025 12:51

Copy link

MemberAuthor

me-no-dev commentedJun 30, 2025•
edited
Loading

@JLLeitschuh PTAL

me-no-dev requested a review fromCopilot

June 30, 2025 12:53

CopilotAI reviewed

Jun 30, 2025

View reviewed changes

Copy link

Contributor

CopilotAI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Pull Request Overview

This PR fixes a CSRF vulnerability by adding authentication and CSRF header checks to OTA update endpoints across various examples.

Enforces authentication on update routes
Introduces CSRF header collection and validation in multiple files
Applies similar security improvements in both WebUpdate and OTA updater code, as well as in the HTTPUpdateServer

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
libraries/WebServer/examples/WebUpdate/WebUpdate.ino	Added authentication and CSRF header validation for OTA updates
libraries/Update/examples/OTAWebUpdater/OTAWebUpdater.ino	Integrated CSRF checks and authentication in OTA update flow
libraries/HTTPUpdateServer/src/HTTPUpdateServer.h	Updated CSRF header collection and verification in the update server

Comments suppressed due to low confidence (3)

libraries/WebServer/examples/WebUpdate/WebUpdate.ino:64

Consider adding an inline comment clarifying the CSRF header check logic, explaining the rationale for comparing 'Origin' with 'http://' concatenated with the Host header to improve future maintainability.

          String origin = server.header(String(csrfHeaders[0]));

libraries/Update/examples/OTAWebUpdater/OTAWebUpdater.ino:74

Adding an inline comment to document the CSRF validation steps here would help clarify why the origin is compared to 'http://' + host for maintaining secure updates.

    String origin = server.header(String(csrfHeaders[0]));

libraries/HTTPUpdateServer/src/HTTPUpdateServer.h:111

Consider sending an explicit HTTP error response (with an appropriate status code) when the CSRF check fails, to clearly communicate the failure to the client.

          String origin = _server->header(String(csrfHeaders[0]));

me-no-dev changed the title~~fix(csrf): Fix SCRF vulnerability in WebUpdate.ino~~fix(csrf): Fix SCRF vulnerability in OTA examples and libraries

Jun 30, 2025

me-no-dev self-assigned this

Jun 30, 2025

Copy link

Contributor

github-actionsbot commentedJun 30, 2025•
edited
Loading

Test Results

76 files 76 suites 13m 59s ⏱️
38 tests 38 ✅ 0 💤 0 ❌
241 runs 241 ✅ 0 💤 0 ❌

Results for commitc94ffcf.

♻️ This comment has been updated with latest results.

Merge branch 'master' into bugfix/csrf

5f74e65

JLLeitschuh reviewed

Jul 1, 2025

View reviewed changes

Copy link

JLLeitschuh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This will work, but I'd suggest implementing this as a standard middleware implementation over this solution. That way the logic is reusable. But that's my ten cents. One concern around the use of theHost andOrigin header is that this won't work behind middleware proxies.

That concern is raised here:

Use the Host header value: If you want your application to find its own target so it doesn't have to be configured for each deployed instance, we recommend using the Host family of headers. The Host header is meant to contain the target origin of the request.But, if your app server is sitting behind a proxy, the Host header value is most likely changed by the proxy to the target origin of the URL behind the proxy, which is different than the original URL. This modified Host header origin won't match the source origin in the original Origin or Referer headers.

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html?utm_source=chatgpt.com#identifying-the-target-origin

I've more frequently seen CSRF protection implemented via a CSRF token in the form post body, but this will likely also work.

libraries/Update/examples/OTAWebUpdater/OTAWebUpdater.ino Outdated

		@@ -7,11 +7,16 @@

		#define SSID_FORMAT "ESP32-%06lX" // 12 chars total
		//#define PASSWORD "test123456" // generate if remarked
		const char * authUser = "admin";
		const char * authPass = "admin";

Copy link

JLLeitschuhJul 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I'd suggest generating a random password that you print to the console to let the user know what it is over using a hard-coded password.

libraries/WebServer/examples/WebUpdate/WebUpdate.ino Outdated

		@@ -11,11 +11,16 @@
		const char *host = "esp32-webupdate";
		const char *ssid = "........";
		const char *password = "........";
		const char * authUser = "admin";
		const char * authPass = "admin";

Copy link

JLLeitschuhJul 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Same feedback here. Generate a random password, and serial print it. I would suggest avoiding having this hard-coded in this example

Copy link

MemberAuthor

me-no-devJul 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I think you are missing the point that this is an Arduino basic example, whose purpose is not to secure every possible scenario, but instead to showcase a particular use (the Updater class). No sane person will useadmin:admin to secure anything. I can put comment to change the default values or define the user/pass as dots (like the SSID and Pass for WiFi), but anything beyond that is over-complication of otherwise basic example that needs to be readable and easy to understand by novice users. Same goes for uses behind proxies, sessions, etc things that are beyond the scope of the examples and whose implementation is not straight-forward on memory constrained devices. Surely feel free to to propose changes in form of Pull Request that will satisfy your requirements :)

UsingHost andOrigin was stated to be enough of a protection by the links in your initial report. Session tokens are not an option in our case at all.