fleet/server/service/scripts_encoding.go

package service

import (
	"encoding/base64"
	"net/http"
)

// ScriptsEncodedHeader is the HTTP header used to signal that script fields
// in the request body are base64-encoded. This is used to bypass WAF rules
// that may block requests containing shell/PowerShell script patterns.
const ScriptsEncodedHeader = "X-Fleet-Scripts-Encoded"

// decodeBase64Script decodes a base64-encoded script string.
// Returns empty string for empty input, which allows callers to pass through
// empty/unset script fields without modification.
func decodeBase64Script(encoded string) (string, error) {
	if encoded == "" {
		return "", nil
	}
	decoded, err := base64.StdEncoding.DecodeString(encoded)
	if err != nil {
		return "", err
	}
	return string(decoded), nil
}

// isScriptsEncoded checks if the request has the scripts encoding header
// set to "base64", indicating that script fields should be decoded.
func isScriptsEncoded(r *http.Request) bool {
	return r.Header.Get(ScriptsEncodedHeader) == "base64"
}
Fix FMAs on Render (#37557) Fixes #33732 Base64-encodes the `install_script` and `uninstall_script` payloads for add and edit software to prevent being blocked by WAF rules and allow FMAs for Windows to be added/edited in Fleet instances running on Render. ![fix-33732-fma-on-render](https://github.com/user-attachments/assets/8293fa30-0739-4769-bd21-09733a23dadc) 2025-12-23 18:01:32 +00:00			`package service`

			`import (`
			`"encoding/base64"`
			`"net/http"`
			`)`

			`// ScriptsEncodedHeader is the HTTP header used to signal that script fields`
			`// in the request body are base64-encoded. This is used to bypass WAF rules`
			`// that may block requests containing shell/PowerShell script patterns.`
			`const ScriptsEncodedHeader = "X-Fleet-Scripts-Encoded"`

			`// decodeBase64Script decodes a base64-encoded script string.`
			`// Returns empty string for empty input, which allows callers to pass through`
			`// empty/unset script fields without modification.`
			`func decodeBase64Script(encoded string) (string, error) {`
			`if encoded == "" {`
			`return "", nil`
			`}`
			`decoded, err := base64.StdEncoding.DecodeString(encoded)`
			`if err != nil {`
			`return "", err`
			`}`
			`return string(decoded), nil`
			`}`

			`// isScriptsEncoded checks if the request has the scripts encoding header`
			`// set to "base64", indicating that script fields should be decoded.`
			`func isScriptsEncoded(r *http.Request) bool {`
			`return r.Header.Get(ScriptsEncodedHeader) == "base64"`
			`}`