search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
2.69k stars 383 forks source link

Invalid MDM enrollment profile generated when org name contains an & character #19808

Open ddribeiro opened 4 weeks ago

ddribeiro commented 4 weeks ago

Fleet version: 4.51.1

💥  Actual behavior

When an organization has an & (or <) character in their organization name, the MDM enrollment profile Fleet generates is invalid because the organization name is directly passed in the values for <key>PayloadOrganization</key> and <key>PayloadDisplayName</key> without escaping those characters. This produces invalid XML. See Section 2.4 of the W3 recommendation for XML.

🧑‍💻  Steps to reproduce

  1. In Fleet, change the organization name to something that includes an & character. Like Fleet & Test.

    Screenshot 2024-06-17 at 2 45 15 PM

  2. Obtain the manual enrollment profile via the GET /api/v1/fleet/enrollment_profiles/manual endpoint.

  3. You can attempt to install the profile and see that it fails with an error. I opened mine up in a text editor (I used CodeRunner) that can lint XML files. I got errors in the lines that contained the organization name with an & character.

    Screenshot 2024-06-17 at 4 01 36 PM

🕯️ More info (optional)

Please note that I did not go through these steps to reproduce the issue in dogfood as I did not want to change the organization name and create a bug that might result in devices not being able to enroll in MDM.

lucasmrod commented 3 weeks ago

I was able to reproduce on latest main.

RachelElysia commented 6 days ago

Potential fix: Create the XML file with a XML writing library that automatically handles the escaping of special characters including ampersands