docs/securecode.instructions.md
Use this guide for AI-assisted code reviews in:
wled00/usermods/.github/workflows/Untrusted data enters WLED only at the following explicit ingress points:
/json/*, /win)parsePacket() / recvfrom() and higher-level protocol wrappers)Validation and range-clamping applied at the ingress point renders data trusted for all subsequent use within the WLED core.
Do not flag:
If it is unclear whether a value has been sanitized upstream (e.g., passed through multiple function calls without a clear annotation), prefer asking for clarification over raising a false-positive finding.
Files read from LittleFS (presets.json, cfg.json, ledmap.json, ir.json, etc.) are written only via privileged access (/edit) and are considered trusted in the threat model.
However, parse them defensively (validate structure, clamp array sizes, handle missing keys gracefully) to avoid bootloops from filesystem corruption or accidental malformation.
Prioritize:
wled00/data/*wsec.json) and secure loggingDe-prioritize unless explicitly introduced by a PR:
strcpy, sprintf, unchecked memory access (memcpy, memmove, memcmp, strcmp, strlen), unchecked pointer arithmetic.strnlen, strncmp, strncpy, strlcpy, snprintf).DEBUG_PRINTF* or similar APIs.count * size, index math, narrowing casts before allocations or copies.parsePacket(), read(), and any lower-level socket wrappers), validate packetSize before buffer writes and clamp protocol-specific universe/channel ranges to valid limits./reset as state-changing. This endpoint triggers a reboot, causing a short interruption without loss of user data.DeserializationError error = deserializeJson(...); if (error) return/reject;) and avoid silently applying unsafe zero/default values to safety-relevant fields (for example LED count and pin assignment).String in performance-critical pathsString growth; reserve or use fixed buffers.String concatenation inside loop-heavy or ISR-adjacent code.WLED_ENABLE_*/WLED_DISABLE_* names are valid known flags; typos silently alter build behavior.Update.begin(), Update.write(), and related flows), flag flashing without integrity verification.xTaskCreate/xTaskCreatePinnedToCore tasks that process String/JSON-heavy data, verify stack-size sufficiency and avoid unbounded recursion.MDNS.begin(), MDNS.addService(), and ArduinoOTA.setHostname(), ensure user-provided hostnames are RFC-compliant (letters/digits/hyphen, no leading/trailing hyphen) and clamped to 63 characters.HTTPClient.begin()/equivalent, validate scheme/format and constrain host targets (allowlist or equivalent policy).wled00/data/*, OWASP A01/A02/A05)innerHTMLtextContent; if HTML is required, sanitize trusted content path explicitly.eval, new Function, and string-based timer execution.postMessage without origin validation/json/state, /win), prefer Origin/Referer header validation as low-cost defense-in-depth for deployments that are not directly internet-exposed.permissions, unpinned third-party actions, or unsafe secret exposure.@main, @master, broad tags) where SHA pinning is expected by project policy.write-all without clear need.${{ github.event.* }} values in run commands.