perf: move runtime state files to /tmp/kvm (now_fps,width,height,wifi_state)#25
Draft
winstar0070 wants to merge 24 commits intomainfrom
Draft
perf: move runtime state files to /tmp/kvm (now_fps,width,height,wifi_state)#25winstar0070 wants to merge 24 commits intomainfrom
winstar0070 wants to merge 24 commits intomainfrom
Conversation
The validate() function previously deleted and recreated server.yaml when port values were missing or invalid. This caused user settings like authentication: "disable" to be silently lost. Now sets default values for missing port fields without deleting the config file, preserving all other user settings. Fixes #4 Ref: sipeed#506
Add validateWifiInput() to both ConnectWifiNoAuth and ConnectWifi: - SSID length validation (1-32 chars per IEEE 802.11) - Password length validation (8-63 chars for WPA2) - Reject control characters and shell metacharacters to prevent command injection when values are read by shell scripts The SSID and password are written to files that shell scripts read, so sanitizing these inputs is critical for security. Fixes #2 Ref: sipeed#431
Add CSRFProtection middleware that validates Origin header on state-changing requests (POST, PUT, DELETE, PATCH): - Rejects requests where Origin host doesn't match request Host - Allows requests without Origin header (non-browser API clients) - Skipped when authentication is disabled (CORS AllowAll already set) - Safe methods (GET, HEAD, OPTIONS) are always allowed This prevents cross-site request forgery attacks where malicious websites could make authenticated requests to the KVM device. Fixes #5 Ref: sipeed#270
- Validate update filename against path traversal attacks (reject names containing "..", directory separators, or special characters) - Add file size verification after download - Use HTTP client with 30-second timeout instead of default (prevents indefinite hangs) The existing SHA-512 hash verification is preserved. These additions provide defense-in-depth against CDN compromise or MITM attacks. Fixes #7 Ref: sipeed#270
- Add CheckWebSocketOrigin() in middleware to validate Origin header on WebSocket upgrade requests (rejects cross-origin connections) - Apply to all 5 WebSocket upgraders: HID, terminal, h264, webrtc, direct - Add empty data guard in ws/client.go to prevent index out of bounds panic - When authentication is disabled, all origins are allowed (existing behavior) Without this fix, a malicious website can hijack WebSocket connections using the victim's JWT cookie to control keyboard/mouse, access root shell, or crash the server with an empty message. Fixes #14
Read /etc/hostname and pass it to udhcpc via -x hostname option in both ethernet and wifi init scripts. This allows DHCP servers to register the device hostname, making it easier to identify NanoKVM devices on the network. Uses -x hostname: instead of -F for better compatibility with various DHCP server implementations (e.g. Mikrotik).
When usb.disk0 is empty, no backing file is set instead of defaulting to /dev/mmcblk0p3. This prevents Legacy BIOS systems from hanging during boot when the raw eMMC partition was exposed as a USB disk. Cherry-picked from: sipeed#741 Original author: MagnaCapax
Use the unique hardware UID from /sys/class/cvi-base/base_uid as the USB serial number instead of a hardcoded value. Falls back to the default if the UID file is not available. Cherry-picked from: sipeed#746 Original author: JakeHillion
Add -O 121 flag to all udhcpc calls in both S30eth and S30wifi. This allows network administrators to push classless static routes to the device for isolated network segments.
Remove shell metacharacter blocklist from WiFi input validation. Characters like $, ', ", etc. are commonly used in WiFi passwords and should not be rejected. S30wifi already uses proper quoting (wpa_passphrase "$ssid" "$pass") so injection is not a risk. Only control characters (< 0x20, DEL) are blocked as they could break file storage or wpa_supplicant config parsing.
Add source IP verification to ConnectWifiNoAuth endpoint. Only requests from the AP subnet (10.0.0.0/8) or loopback are accepted. This prevents the endpoint from being accessible from the main network when the device is dual-homed (ethernet + AP mode). The existing isAPMode() file check is kept as the first guard.
Set sameSite: 'Strict' on the nano-kvm-token cookie to prevent browsers from sending it on cross-origin requests. This provides an additional layer of CSRF protection alongside the Origin header validation middleware.
This reverts commit 0074bb1.
feat: send hostname in DHCP requests
fix: don't expose eMMC as USB mass storage when no image is mounted
feat: derive USB serial number from SoC hardware UID
fix: preserve user config when validating port settings
fix: harden firmware update integrity checks
fix: validate WebSocket origin and guard against empty messages
fix: add input validation to WiFi configuration endpoints
fix: restrict unauthenticated WiFi endpoint to AP subnet
fix: add SameSite=Strict to JWT cookie
…_state); ensure /tmp/kvm exists; keep security logic intact
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Why
Scope
Tests