fix: Also set inValidNode when CSP starts with comment (#27376)

TsekNet · web-flow · commit e187b02c62bf · 2025-03-21T07:34:12.000-05:00
Addresses #26443 (comment) after #27176 was merged. # Checklist for submitter If some of the following don't apply, delete the relevant line.  - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - I did this in #27176, same change message. - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality
diff --git a/server/fleet/windows_mdm.go b/server/fleet/windows_mdm.go
@@ -79,6 +79,7 @@ func (m *MDMWindowsConfigProfile) ValidateUserProvided() error {
 	// structure (Target>Item>LocURI) so we don't need to track all the tags.
 	var inValidNode bool
 	var inLocURI bool
+	var inComment bool
 
 	for {
 		tok, err := dec.Token()
@@ -97,9 +98,19 @@ func (m *MDMWindowsConfigProfile) ValidateUserProvided() error {
 			return errors.New("The file should include valid XML: processing instructions are not allowed.")
 
 		case xml.Comment:
+			inComment = true
 			continue
 
 		case xml.StartElement:
+			// Top-level comments should be followed by <Replace> or <Add> elements
+			if inComment {
+				if !inValidNode && t.Name.Local != "Replace" && t.Name.Local != "Add" {
+					return errors.New("Windows configuration profiles can only have <Replace> or <Add> top level elements after comments")
+				}
+				inValidNode = true
+				inComment = false
+			}
+
 			switch t.Name.Local {
 			case "Replace", "Add":
 				inValidNode = true
diff --git a/server/fleet/windows_mdm_test.go b/server/fleet/windows_mdm_test.go
@@ -422,6 +422,23 @@ func TestValidateUserProvided(t *testing.T) {
 			},
 			wantErr: "",
 		},
+		{
+			name: "XML with top level comment followed by invalid element",
+			profile: MDMWindowsConfigProfile{
+				SyncML: []byte(`
+				  <!-- this is a comment -->
+				  <!-- this is another comment -->
+				  <LocURI>Custom/URI</LocURI>
+				  <Replace>
+				  <!-- this is a comment inside replace -->
+				    <Target>
+				      <LocURI>Custom/URI</LocURI>
+				    </Target>
+				  </Replace>
+				`),
+			},
+			wantErr: "Windows configuration profiles can only have <Replace> or <Add> top level elements after comments",
+		},
 		{
 			name: "XML with nested root element in data",
 			profile: MDMWindowsConfigProfile{
