NuttX is not affected by GHSA-93v7-287q-qx4g: it has a flat VFS, the
FAT driver used for /fs/microsd does not support symlinks, and
CONFIG_PSEUDOFS_SOFTLINKS is off by default. Running realpath() and
parent canonicalization there is dead weight that costs flash for no
security benefit.
Move the canonicalize_path helper, the in-root check, the new
includes, and O_NOFOLLOW behind #ifndef __PX4_NUTTX so the NuttX
build is functionally identical to main, except that _workOpen and
_workWrite now also call _validatePathIsWritable for write paths
(matching the pattern already used by the other writable opcodes).
On POSIX/SITL the symlink-resolution hardening is unchanged.
Drop the now-unused _validatePathIsInRoot declaration from the
header.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
The previous commits in this branch blocked all writes under
PX4_STORAGEDIR/etc/ as a defence against attacker-controlled boot
hook files (rc.txt, config.txt, extras.txt). That subtree is the
documented user customization point for PX4 startup, and QGC's
MAVFTP file manager is the supported way to upload it. Blocking
writes there breaks a legitimate workflow on top of an already
unauthenticated channel where the real mitigation is MAVLink
signing.
Drop the boot-hook deny block. The symlink/canonicalization
hardening (\_validatePathIsInRoot, O_NOFOLLOW, parent-resolved
realpath fallback) for GHSA-93v7-287q-qx4g stays.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Address review feedback on the FTP path validation hardening:
- Extract canonicalization into a static helper canonicalize_path() that
resolves either the full path or the parent directory plus the
reattached leaf, and reuse it from both the in-root check and the
boot-hook deny check. The previous deny check matched the raw input
string against the literal "PX4_STORAGEDIR/etc/" prefix, which could
be bypassed by paths such as "./etc/x" or "//etc/x" when the leaf did
not yet exist. The new check always compares the canonical absolute
path against the canonical "PX4_STORAGEDIR/etc/" prefix.
- Update the canonicalize_path() doc comment to state that the result
is always an absolute path produced by realpath(), so future
maintainers do not have to re-derive that property.
- Add the missing blank line between the realpath success branch and
the NuttX fallback so the file matches the project astyle rules.
Refs: GHSA-c6f8-f7w2-785x, GHSA-93v7-287q-qx4g
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Tighten path validation in MavlinkFTP so that FTP write operations
consistently reject unsafe targets and resolve symlinks before checking
the result against the FTP root.
Add a new helper _validatePathIsInRoot() that canonicalizes the
requested path with realpath() and verifies the result is contained
inside PX4_STORAGEDIR. For paths that do not yet exist (CreateFile,
CreateDirectory) the parent directory is canonicalized and the leaf
name reattached so the check still produces a meaningful result. NuttX
falls back to the previous string based prefix and traversal check
because realpath() is not available there.
Rewrite _validatePathIsWritable() to call the new in-root check on all
platforms, and to deny writes that target the boot executed startup
hook subtree (PX4_STORAGEDIR /etc/). Drop the NuttX only ifdef around
the existing prefix check so the same logic runs on POSIX builds too.
Apply _validatePathIsWritable() in _workOpen() for write mode opens
(O_WRONLY or O_RDWR), and add the missing _validatePath() call to
_workWrite() so the WriteFile opcode now matches the pattern used by
the other write capable opcodes.
Open the leaf file with O_NOFOLLOW where the platform provides it so a
TOCTOU race cannot redirect the leaf through a symlink between
validation and open(2).
Refs: GHSA-c6f8-f7w2-785x, GHSA-93v7-287q-qx4g
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
* Remove unused parameters from function signature and make the parameter accessors consistent
* Update the caller function signature
* Update src/modules/navigator/rtl.cpp
---------
Co-authored-by: Jacob Dahl <37091262+dakejahl@users.noreply.github.com>
Use timestamp_sample instead of time_now_us for the rate limiter check
to sync to the sensor clock rather than the wall clock.
Switch from direct timestamp assignment to epoch-advance
(_last_publication_timestamp += interval_us) with a catch-up guard to
prevent aliasing artifacts when the sensor sample rate is close to the
configured publication rate.
getPreviousPositionItems() already decrements the start index
internally before searching. The call in on_activation() at line 227
passed _inactivation_index - 1, causing a double-decrement that made
the vehicle resume at waypoint n-2 instead of n-1.
All other call sites (rtl_mission_fast_reverse.cpp:81,
rtl_mission_fast_reverse.cpp:133, mission_base.cpp:1149) pass the
index directly without pre-decrementing.
The bug has been present since commit 007ed11bbe (June 2023).
Closes#26795
Signed-off-by: Pavel Guzenfeld <pavelgu@gmail.com>
The FC-side DroneCAN sensor bridges (accel, gyro, rangefinder) used
hrt_absolute_time() in the receive callback as timestamp_sample,
adding ~3-16ms of systematic CAN transport delay.
For messages with a uavcan.Timestamp field, the cannode can publish
the actual sample time via UAVCAN GlobalTimeSync. The RawIMU publisher
already did this for IMU data; apply the same pattern to the range
sensor publisher, and update all three FC bridges to prefer the
message timestamp with a fallback to hrt_absolute_time() for nodes
that don't set it.
* fix: added comment explaining why dev id address can only be 3 or 4
* fix: change link to point to main px4 repo
* fix: typo
* formatted
* chore: formatting
The packaging script only placed all_events.json.xz in an events/
subdirectory, but the firmware advertises the metadata URI at the
board directory top level. New build targets added after the
Jenkins-to-GHA migration had no legacy top-level copy, causing
QGC to get a 404 when fetching component metadata.
Fixes#26963
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
The asset file was renamed from X25-EVO.jpg to x25_evo.jpg in git but
all four locale files (en, ko, uk, zh) still referenced the old name.
macOS hid this because its filesystem is case-insensitive, but Linux CI
(case-sensitive) intermittently failed to resolve the reference during
Rollup bundling.
Fixes#26958
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
When EKF2_HGT_REF=2 (range sensor) with no GPS, optical flow could
never start. The starting condition required isTerrainEstimateValid()
or isHorizontalAidingActive(), but terrain is never "estimated" when
range is the height reference (ground is the datum, terrain state is
fixed at 0), and there's no horizontal aiding without GPS.
HAGL is directly known from the range measurement in this case, so
optical flow has everything it needs to fuse. Add the range height
reference check to the optical flow starting conditions.
Fixes: https://github.com/PX4/PX4-Autopilot/issues/25248
Add :latest tag alongside version tags for per-arch images and
multi-arch manifests on both Docker Hub and GHCR.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Add cmake/cpack infrastructure for building .deb packages from
px4_sitl_sih and px4_sitl_default targets. Includes install rules,
package scripts, Gazebo wrapper, and CI workflow.
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Set BOARD_FLASH_SECTORS to 13 so the bootloader does not erase the
parameter sectors (14 and 15) during firmware updates. Previously set
to 14 which allowed the bootloader to erase sector 14, potentially
wiping stored parameters.
Three issues caused the monthly audit to report already-resolved submodules:
1. The audit workflow grepped for "NOASSERTION" anywhere in the output,
matching the Detected column even when the Final column had a valid
override (e.g. libtomcrypt detected as NOASSERTION but overridden to
Unlicense). Changed to grep for "<-- UNRESOLVED" marker instead.
2. Submodules with an explicit NOASSERTION override in license-overrides.yaml
(like libfc-sensor-api, which is proprietary) were still counted as
failures. Now treated as "acknowledged" since someone intentionally
added the override entry.
3. Added missing BSD-3-Clause override for sitl_gazebo-classic (PX4 org
project with no LICENSE file in repo).
Fixes#26932
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Add MAVLink stream that maps EstimatorFusionControl uORB message to
ESTIMATOR_SENSOR_FUSION_STATUS, exposing per-sensor intended/active
bitmasks to the GCS.
Split FusionSensor into available (CTRL param != disabled) and enabled
(runtime-toggleable). intended() = enabled && available. EKF core aid
sources now set available themselves and use intended() or _params
directly for CTRL-level checks. Remove drag/imu from FusionControl,
add aspd/rngbcn. Add AGP sourceFusingBitmask() for active-status.
