Add OTA metadata validation v2 #4998

willmmiles · 2025-10-11T14:56:29Z

Replaces #4960, fixes #4929.

Expand the OTA subsystem to add a framework for validating binaries before installing. Expands from #4960, squashed to make porting to 0.15 easier.

Key changes:

Adds a new metadata struct placed in a section where it is guaranteed to appear early in the .bin file
When performing an OTA update, validate that the release agrees with the current value (prevents ETH -> non-ETH downgrades, etc.)
Add a tickbox to the update UI to override checking
Print release info on update page.
Convert update page to using JSON API for retrieving metadata
Fix races and cleanup handling of OTA web requests

This implementation validates only release names. Additional validations can be added to shouldAllowOTA() in future PRs.

Summary by CodeRabbit

New Features
- Robust OTA update flow with compatibility checks and clearer success/error responses.
- Option to ignore firmware validation during OTA.
- Update page now auto-fetches and displays device brand, version, and release (shows "Loading..." while fetching).
Improvements
- Prevents forced reconnects while an OTA is active.
- Unified, more reliable OTA upload handling across platforms.
- Build embeds repository/version metadata at build time for OTA validation.
Bug Fixes
- Fixed inconsistent update-page script/version handling.

Implement a comprehensive solution for validating a firmware before an OTA updated is committed. WLED metadata such as version and release is moved to a data structure located at near the start of the firmware binary, where it can be identified and validated. Co-authored-by: netmindz <[email protected]>

Improves cache utilization as fewer things are passed via CFLAGS to all files. In the event that no metadata is available, let the cpp file handle warning about default usage.

coderabbitai · 2025-10-11T14:56:37Z

Walkthrough

Consolidates build-time repo/version scripting into one middleware script, embeds build metadata into binaries, adds metadata extraction/validation, implements a stateful chunked OTA pipeline with server/UI integration, and removes legacy global version/release variables.

Changes

Cohort / File(s)	Summary
Build scripts & config `pio-scripts/set_metadata.py`, `pio-scripts/set_version.py`, `platformio.ini`	Introduces `set_metadata.py` (middleware-style CPPDEFINES injection for repo/version), removes the old `set_version.py`, and updates `platformio.ini` to invoke the new script.
Build metadata core `wled00/wled_metadata.h`, `wled00/wled_metadata.cpp`, `wled00/wled.h`	Adds packed `wled_metadata_t`, `WLED_BUILD_DESCRIPTION` section, compile-time/runtime hash helpers, `findWledMetadata` and `shouldAllowOTA`, exposes repo/product/brand strings, and removes legacy global version/release/repo variables.
OTA implementation & integration `wled00/ota_update.h`, `wled00/ota_update.cpp`, `wled00/wled_server.cpp`, `wled00/wled.cpp`	Adds AsyncWebServer-based OTA context and handlers (init, chunk handling, result reporting), performs firmware metadata validation during upload, centralizes OTA logic, and avoids forcing reconnect while an OTA is running.
OTA UI & XML/tooling `wled00/data/update.htm`, `wled00/xml.cpp`, `tools/cdata.js`	`update.htm` now fetches `/json/info`, displays dynamic installed/version/release info and an "Ignore firmware validation" checkbox; removes SUBPAGE_UPDATE XML generation and deletes a PAGE_update mangle transformation in `tools/cdata.js`.
Minor/compatibility fixes `wled00/dmx_input.cpp`, `wled00/e131.cpp`	Renames local DMX version variable to `dmxWledVersionString`; fixes pointer cast for `numberEnd` to support safe strtol usage.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Attention recommended:

wled00/ota_update.cpp — concurrency, memory/watchdog handling, platform Update APIs, and chunked write/finalize logic.
wled00/wled_metadata.cpp / wled00/wled_metadata.h — binary section placement, packed layout, constexpr hash correctness, and cross-platform PROGMEM usage.
wled00/wled_server.cpp — new request-_tempObject flow and altered HTTP error/success responses.
pio-scripts/set_metadata.py — middleware injection correctness across build targets and CPPDEFINES reconstruction.

Possibly related PRs

Revert disable OTA logic & optional Arduino OTA #4748 — Modifies OTA-related code paths and handlers; overlaps with server and OTA flow changes in this PR.
Bugfix for brightness factor upon save: fixes #4824 #4827 — Touches core areas that may overlap with build/runtime symbols affected by this PR.

Suggested reviewers

netmindz
blazoncek

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	You can run `@coderabbitai generate docstrings` to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Add OTA metadata validation v2" directly and accurately reflects the primary objective of the pull request. The changeset implements a comprehensive OTA validation framework with embedded metadata structures, validation logic, and user interface updates to prevent incompatible firmware installation. The title is concise, clear, and specific enough for a reviewer scanning history to understand this is about adding OTA validation capabilities. It correctly captures the main feature without unnecessary elements.
Linked Issues Check	✅ Passed	The code changes comprehensively address all requirements from issue #4929. The implementation validates release names embedded in binaries [wled_metadata.cpp/h: findWledMetadata(), shouldAllowOTA()], bases validation on binary metadata rather than filenames [ota_update.cpp: metadata extraction from firmware], provides build-system integration to embed metadata [pio-scripts/set_metadata.py, platformio.ini], adds a user-override checkbox [update.htm], and displays release information via JSON API [xml.cpp removal, tools/cdata.js modification, update.htm]. The OTA handler [wled_server.cpp] correctly delegates to the validation framework, and ota_update.cpp explicitly supports skipping validation via parameter, satisfying the "ignoreRelease" checkbox requirement.
Out of Scope Changes Check	✅ Passed	All changes are directly aligned with the stated PR objectives and issue #4929 requirements. Modifications to dmx_input.cpp and e131.cpp (renaming versionString) are necessary refactoring caused by moving version strings from global scope to the wled_metadata module. Changes to tools/cdata.js, xml.cpp, and update.htm are integral to replacing the old script-injection approach with the new JSON API-based metadata display. The forceReconnect guard in wled.cpp prevents OTA interruption during low-heap conditions, supporting the stated goal of fixing OTA web request handling. No unrelated formatting, style, or tangential bug fixes were detected.

✨ Finishing touches

📝 Generate docstrings

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a04d702 and b268aea.

📒 Files selected for processing (1)

pio-scripts/set_metadata.py (3 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: willmmiles
PR: wled/WLED#4998
File: wled00/ota_update.cpp:120-124
Timestamp: 2025-10-11T17:56:24.923Z
Learning: In the WLED OTA update implementation (wled00/ota_update.cpp), the parameter name for bypassing OTA validation is "skipValidation", not "ignoreRelease". The intent evolved from the original spec in issue #4929 to disable all validation checks, not just release name checks, which is why the broader parameter name "skipValidation" is used.

🧬 Code graph analysis (1)

pio-scripts/set_metadata.py (1)

tools/cdata.js (1)

version (94-94)

🪛 Ruff (0.14.1)

pio-scripts/set_metadata.py

67-67: Consider moving this statement to an else block

(TRY300)

75-75: Do not catch blind exception: Exception

(BLE001)

118-118: Undefined name env

(F821)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

GitHub Check: wled_build / Build Environments (esp32_wrover)
GitHub Check: wled_build / Build Environments (usermods)
GitHub Check: wled_build / Build Environments (lolin_s2_mini)
GitHub Check: wled_build / Build Environments (esp32s3_4M_qspi)
GitHub Check: wled_build / Build Environments (esp32s3dev_16MB_opi)
GitHub Check: wled_build / Build Environments (esp32c3dev)
GitHub Check: wled_build / Build Environments (esp32_eth)
GitHub Check: wled_build / Build Environments (esp32s3dev_8MB_opi)
GitHub Check: wled_build / Build Environments (esp01_1m_full_160)
GitHub Check: wled_build / Build Environments (esp32dev)

🔇 Additional comments (6)

pio-scripts/set_metadata.py (6)

1-4: LGTM: JSON import added correctly.

The json import is properly added to support reading version data from package.json.

79-80: LGTM: Package file constant defined clearly.

The PACKAGE_FILE constant is properly defined for use in version retrieval.

81-86: LGTM: Exception handling correctly implemented.

The function now properly handles exceptions and returns None on error, as addressed in previous review feedback.

89-96: LGTM: Loop logic correctly implemented.

The condition if f == name: is now properly indented inside the loop, as addressed in previous review feedback.

118-121: LGTM: Build middleware correctly registered.

The middleware is properly wired to target wled_metadata.cpp for metadata injection. The static analysis warning about env being undefined (F821) is a false positive—env is injected by PlatformIO's Import('env') mechanism on line 1.

107-110: ****

The original concern is based on a misunderstanding of how WLED_VERSION is used in the codebase. The macro is intentionally defined as an unquoted token (dev in the fallback), and it's converted to a string using TOSTRING(WLED_VERSION) at line 59 of wled_metadata.cpp. This is a standard C pattern for compile-time stringification—the token form is correct.

The comparison with WLED_REPO is invalid because they serve different purposes:

WLED_REPO is used directly as a string literal → requires quotes

WLED_VERSION is stringified at compile time via TOSTRING() → must remain an unquoted token

No code changes are required.

Likely an incorrect or invalid review comment.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 7

🧹 Nitpick comments (12)

wled00/data/update.htm (2)
27-28: Address TODO comments before merging.

The TODO comments suggest incomplete functionality:

"assemble update URL"

"can this be done at build time?"

Please resolve these items or create tracking issues for them.

Do you want me to open a new issue to track these tasks, or would you like suggestions on how to implement them?

25-26: Consider defensive checks for API response properties.

While the error handling catches network failures, missing or malformed properties in the JSON response (e.g., data.brand, data.ver, data.release) would display "undefined" in the UI.

Apply this diff to add defensive fallbacks:
-.then(data => {
-	document.querySelector('.installed-version').textContent = `${data.brand} ${data.ver} (${data.vid})`;
-	document.querySelector('.release-name').textContent = data.release;
+.then(data => {
+	const brand = data.brand || 'Unknown';
+	const ver = data.ver || 'Unknown';
+	const vid = data.vid || 'Unknown';
+	const release = data.release || 'Unknown';
+	document.querySelector('.installed-version').textContent = `${brand} ${ver} (${vid})`;
+	document.querySelector('.release-name').textContent = release;
pio-scripts/set_metadata.py (1)
69-77: Consider more specific exception handling.

The bare except Exception: clause at line 75 catches all exceptions, which can mask unexpected errors and make debugging difficult.

Consider catching specific exceptions or at least logging the error:
     except subprocess.CalledProcessError:
         # Git command failed (e.g., not a git repo, no remote, etc.)
         return None
-    except Exception:
+    except Exception as e:
         # Any other unexpected error
+        # Optionally log: print(f"Unexpected error in get_github_repo: {e}")
         return None
wled00/ota_update.h (1)

42-51: Correct the handleOTAData docs

Comment claims the function returns a bool/string pair, but the signature is void. Update the docblock to match the actual return type.
wled00/ota_update.cpp (5)
194-234: Make metadata windowing robust and bounded (avoid false negatives and dynamic growth)

Always accumulate a bounded window from start until METADATA_OFFSET+METADATA_SEARCH_RANGE before validating; then search that buffer once. This prevents edge cases where the first “crossing” chunk is large and doesn’t include bytes just before METADATA_OFFSET, and avoids repeated vector reallocs.

Example adjustment within this block:

Before validation: append incoming data while index+len <= METADATA_OFFSET+METADATA_SEARCH_RANGE (cap buffer to that size).

When buffer.size() >= METADATA_OFFSET+METADATA_SEARCH_RANGE, validate once using the buffer, then clear it.
This keeps memory bounded and improves reliability without increasing complexity.

236-243: Abort update immediately when validation never completes

Call abort to free resources ASAP when final chunk arrives without passing validation.

Apply this diff:
   if (isFinal && !context->releaseCheckPassed) {
     DEBUG_PRINTLN(F("OTA failed: Validation never completed"));
     // Don't write the last chunk to the updater: this will trip an error later
     context->errorMessage = F("Release check data never arrived?");
+    #if defined(ESP32)
+    Update.abort();
+    #endif
     return;
   }
145-146: Narrow the lambda capture

Use [request] instead of [=] to avoid capturing unrelated locals and reduce risk.

Apply this diff:
-    request->onDisconnect([=]() { endOTA(request); });  // ensures we restart on failure
+    request->onDisconnect([request]() { endOTA(request); });  // ensures we restart on failure
158-163: Docstring out of date with return type/semantics

Comment says “Returns pointer to error message…”, but function returns pair<bool, String>. Update for clarity.

Apply this diff:
-// Returns pointer to error message, or nullptr if OTA was successful.
+// Returns {done, message}. done=true when an HTTP response can be produced.
+// message is empty on success.
221-225: Error text should match UI wording

UI says “Ignore release name check”; message says “Ignore firmware validation”. Align for consistency.

Apply this diff:
-        context->errorMessage += F(" Enable 'Ignore firmware validation' to proceed anyway.");
+        context->errorMessage += F(" Enable 'Ignore release name check' to proceed anyway.");
wled00/wled_metadata.cpp (3)
21-24: Compile‑time length check can misbehave if RELEASE_NAME isn’t a literal

sizeof(WLED_RELEASE_NAME) only works for string literals. If it’s passed from build flags/macros that resolve to a non-literal, this may break. Consider a runtime assert/log or a static_assert on array length via a helper when literal is guaranteed.

64-72: Provide safe defaults for product/brand if integrator doesn’t define them

Prevent build breaks when WLED_PRODUCT_NAME/WLED_BRAND aren’t set.

Apply this diff:
+#ifndef WLED_PRODUCT_NAME
+#define WLED_PRODUCT_NAME "WLED"
+#endif
+#ifndef WLED_BRAND
+#define WLED_BRAND "WLED"
+#endif
120-128: Update the function doc to match the signature

The comment mentions binaryData/dataSize, but the function takes a descriptor. Fix the doc to avoid confusion.

Apply this diff:
- * @param binaryData Pointer to binary file data (not modified)
- * @param dataSize Size of binary data in bytes
- * @param errorMessage Buffer to store error message if validation fails 
+ * @param firmwareDescription Extracted firmware metadata to validate
+ * @param errorMessage Buffer to store error message if validation fails 

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7f1f986 and 5ca10f3.

📒 Files selected for processing (15)

pio-scripts/set_metadata.py (3 hunks)
pio-scripts/set_version.py (0 hunks)
platformio.ini (1 hunks)
tools/cdata.js (0 hunks)
wled00/data/update.htm (2 hunks)
wled00/dmx_input.cpp (1 hunks)
wled00/e131.cpp (1 hunks)
wled00/ota_update.cpp (1 hunks)
wled00/ota_update.h (1 hunks)
wled00/wled.cpp (2 hunks)
wled00/wled.h (1 hunks)
wled00/wled_metadata.cpp (1 hunks)
wled00/wled_metadata.h (1 hunks)
wled00/wled_server.cpp (2 hunks)
wled00/xml.cpp (0 hunks)

💤 Files with no reviewable changes (3)

pio-scripts/set_version.py
wled00/xml.cpp
tools/cdata.js

🧰 Additional context used

📓 Path-based instructions (5)

wled00/**/*.cpp