Fixing Fleet variable validation in <data> (#27604)

For #27603 Only fixing the UI issue. GitOps also has this issue, but GitOps does not validate Fleet variables locally, so not an easy fix. # Checklist for submitter - [x] Manual QA for all new/changed functionality - [x] For unreleased bug fixes in a release candidate, confirmed that the fix is not expected to adversely impact load test results or alerted the release DRI if additional load testing is needed.
2026-05-23 17:08:53 +00:00 · 2025-03-27 17:27:58 -05:00 · 2025-03-27 17:27:58 -05:00 · 54e18d87bd
commit 54e18d87bd
parent db485718e9
1 changed files with 11 additions and 8 deletions
--- a/server/service/apple_mdm.go
+++ b/server/service/apple_mdm.go
@ -397,6 +397,17 @@ func (svc *Service) NewMDMAppleConfigProfile(ctx context.Context, teamID uint, r
 		return nil, ctxerr.Wrap(ctx, fleet.NewInvalidArgumentError("profile", err.Error()))
 	}

+	// We validate Fleet variables before we unmarshal the profile because bad variables can break unmarshal.
+	// For example: <data>$FLEET_VAR_BOZO</data>
+	appConfig, err := svc.ds.AppConfig(ctx)
+	if err != nil {
+		return nil, ctxerr.Wrap(ctx, err)
+	}
+	err = validateConfigProfileFleetVariables(appConfig, expanded)
+	if err != nil {
+		return nil, ctxerr.Wrap(ctx, err, "validating fleet variables")
+	}
+
 	cp, err := fleet.NewMDMAppleConfigProfile([]byte(expanded), &teamID)
 	if err != nil {
 		return nil, ctxerr.Wrap(ctx, &fleet.BadRequestError{
@ -410,14 +421,6 @@ func (svc *Service) NewMDMAppleConfigProfile(ctx context.Context, teamID uint, r
 		}
 		return nil, ctxerr.Wrap(ctx, &fleet.BadRequestError{Message: err.Error()})
 	}
-	appConfig, err := svc.ds.AppConfig(ctx)
-	if err != nil {
-		return nil, ctxerr.Wrap(ctx, err)
-	}
-	err = validateConfigProfileFleetVariables(appConfig, string(cp.Mobileconfig))
-	if err != nil {
-		return nil, ctxerr.Wrap(ctx, err, "validating fleet variables")
-	}

 	// Save the original unexpanded profile
 	cp.Mobileconfig = b