From 0dd620e61bd669e4612ea2eba8e7846296aa11d8 Mon Sep 17 00:00:00 2001
From: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com>
Date: Fri, 21 Jun 2024 08:43:08 -0500
Subject: [PATCH] Added character validation to /api/fleet/orbit/device_token
 endpoint (#19919)

https://github.com/fleetdm/confidential/issues/6978
Added character validation to /api/fleet/orbit/device_token endpoint

# Checklist for submitter

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://fleetdm.com/docs/contributing/committing-changes#changes-files)
for more information.
- [x] Added/updated tests
- [x] Manual QA for all new/changed functionality
---
 changes/6978-device-token-validation    | 1 +
 server/service/integration_core_test.go | 7 +++++++
 server/service/orbit.go                 | 5 +++++
 3 files changed, 13 insertions(+)
 create mode 100644 changes/6978-device-token-validation

diff --git a/changes/6978-device-token-validation b/changes/6978-device-token-validation
new file mode 100644
index 0000000000..aa6fa57336
--- /dev/null
+++ b/changes/6978-device-token-validation
@@ -0,0 +1 @@
+Added character validation to /api/fleet/orbit/device_token endpoint
diff --git a/server/service/integration_core_test.go b/server/service/integration_core_test.go
index 99bdca4188..e7b4d265eb 100644
--- a/server/service/integration_core_test.go
+++ b/server/service/integration_core_test.go
@@ -11187,6 +11187,13 @@ func (s *integrationTestSuite) TestHostDeviceToken() {
 	}
 	s.DoJSON("POST", "/api/fleet/orbit/device_token", body, http.StatusBadRequest, &response{})
 
+	// Use illegal characters
+	body = setOrUpdateDeviceTokenRequest{
+		OrbitNodeKey:    *orbitHost.OrbitNodeKey,
+		DeviceAuthToken: "../.",
+	}
+	s.DoJSON("POST", "/api/fleet/orbit/device_token", body, http.StatusBadRequest, &response{})
+
 	// Write bad node key
 	body = setOrUpdateDeviceTokenRequest{
 		OrbitNodeKey:    "",
diff --git a/server/service/orbit.go b/server/service/orbit.go
index 50bf1d8d28..5bd37a8752 100644
--- a/server/service/orbit.go
+++ b/server/service/orbit.go
@@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
 
 	"github.com/fleetdm/fleet/v4/server"
 	"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
@@ -490,6 +491,10 @@ func (svc *Service) SetOrUpdateDeviceAuthToken(ctx context.Context, deviceAuthTo
 		return badRequest("device auth token cannot be empty")
 	}
 
+	if url.QueryEscape(deviceAuthToken) != deviceAuthToken {
+		return badRequest("device auth token contains invalid characters")
+	}
+
 	host, ok := hostctx.FromContext(ctx)
 	if !ok {
 		return newOsqueryError("internal error: missing host from request context")