Skip to content

fix: ADR-050 security hardening — HMAC, path traversal, OTA auth#172

Merged
ruvnet merged 1 commit intomainfrom
fix/quality-engineering-170
Mar 6, 2026
Merged

fix: ADR-050 security hardening — HMAC, path traversal, OTA auth#172
ruvnet merged 1 commit intomainfrom
fix/quality-engineering-170

Conversation

@ruvnet
Copy link
Copy Markdown
Owner

@ruvnet ruvnet commented Mar 6, 2026

Summary

Sprint 1 security fixes from the quality engineering analysis (issue #170):

  • Replace fake HMAC — XOR-fold in secure_tdm.rs replaced with real HMAC-SHA256 (hmac + sha2 crates)
  • Path traversal protection — DELETE endpoints for models and recordings now sanitize :id parameter
  • Default bind to localhost — Server binds 127.0.0.1 instead of 0.0.0.0 (configurable via --bind-addr / SENSING_BIND_ADDR env)
  • OTA authentication — ESP32 firmware upload now requires Bearer PSK token (loaded from NVS)
  • WASM signature default-on — Signature verification is now opt-out (CONFIG_WASM_SKIP_SIGNATURE) instead of opt-in
  • Security test suite — 6 new tests covering HMAC cryptographic properties and enforcing mode

Files Changed

File Change
secure_tdm.rs Real HMAC-SHA256 + 6 security tests
main.rs (sensing-server) Path sanitization + bind address fix
ota_update.c PSK auth with constant-time comparison
wasm_upload.c Flip signature verification to default-on
Cargo.toml (hardware) Add hmac, sha2 deps
Cargo.toml (workspace) Add clap env feature
ADR-050 New ADR documenting the security response

Addresses

  • Finding 1: Fake HMAC (XOR fold with hardcoded key) — FIXED
  • Finding 3: Path traversal in DELETE endpoints — FIXED
  • Finding 4: Unauthenticated OTA firmware endpoint — FIXED
  • Finding 5: WASM upload without mandatory signatures — FIXED
  • Finding 8: Server binds 0.0.0.0 — FIXED

Test plan

  • cargo check -p wifi-densepose-hardware passes
  • cargo check -p wifi-densepose-sensing-server passes
  • cargo test -p wifi-densepose-hardware — 106/106 tests pass (including 6 new security tests)
  • Manual: verify OTA upload returns 403 without Bearer token
  • Manual: verify ../../../etc/passwd as model ID returns "invalid model id"
  • Manual: verify server binds to 127.0.0.1 by default

🤖 Generated with claude-flow

@ruvnet
fix: security hardening — replace fake HMAC, add path traversal prote…
47223a9 
…ction, OTA auth (ADR-050)

Sprint 1 security fixes from quality engineering analysis (issue #170):

- Replace XOR-fold fake HMAC with real HMAC-SHA256 (hmac + sha2 crates) in secure_tdm.rs
- Add path traversal sanitization on DELETE /api/v1/models/:id and /api/v1/recording/:id
- Default bind address changed from 0.0.0.0 to 127.0.0.1 (configurable via --bind-addr / SENSING_BIND_ADDR)
- Add PSK authentication to ESP32 OTA firmware upload endpoint (ota_update.c)
- Flip WASM signature verification to default-on (CONFIG_WASM_SKIP_SIGNATURE opt-out vs opt-in)
- Add 6 new security tests: HMAC key/message sensitivity, determinism, wrong-key rejection, bit-flip detection, enforcing mode
- Add clap env feature for environment variable configuration

All 106 hardware crate tests pass. Sensing server compiles clean.

Closes #170

Co-Authored-By: claude-flow <ruv@ruv.net>
@ruvnet ruvnet merged commit 45c15b7 into main Mar 6, 2026
0 of 2 checks passed
@ruvnet ruvnet mentioned this pull request Mar 6, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ruvnet