Escape SCEP challenge for MDM enrollment profile XML (#10261)

2026-05-23 08:58:41 +00:00 · 2023-03-03 12:59:21 -06:00 · 2023-03-03 12:59:21 -06:00 · deb5bea3ff
commit deb5bea3ff
parent 2933a7bdaa
2 changed files with 14 additions and 1 deletions
--- a/server/service/apple_mdm.go
+++ b/server/service/apple_mdm.go
@ -5,6 +5,7 @@ import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
+	"encoding/xml"
 	"errors"
 	"fmt"
 	"io"
@ -1124,6 +1125,11 @@ func generateEnrollmentProfileMobileconfig(orgName, fleetURL, scepChallenge, top
 		return nil, fmt.Errorf("resolve Apple MDM url: %w", err)
 	}

+	var escaped strings.Builder
+	if err := xml.EscapeText(&escaped, []byte(scepChallenge)); err != nil {
+		return nil, fmt.Errorf("escape SCEP challenge for XML: %w", err)
+	}
+
 	var buf bytes.Buffer
 	if err := enrollmentProfileMobileconfigTemplate.Execute(&buf, struct {
 		Organization  string
@ -1134,7 +1140,7 @@ func generateEnrollmentProfileMobileconfig(orgName, fleetURL, scepChallenge, top
 	}{
 		Organization:  orgName,
 		SCEPURL:       scepURL,
-		SCEPChallenge: scepChallenge,
+		SCEPChallenge: escaped.String(),
 		Topic:         topic,
 		ServerURL:     serverURL,
 	}); err != nil {
--- a/server/service/apple_mdm_test.go
+++ b/server/service/apple_mdm_test.go
@ -1442,6 +1442,13 @@ func TestAppleMDMFileVaultEscrowFunctions(t *testing.T) {
 	require.ErrorIs(t, fleet.ErrMissingLicense, err)
 }

+func TestGenerateEnrollmentProfileMobileConfig(t *testing.T) {
+	// SCEP challenge should be escaped for XML
+	b, err := generateEnrollmentProfileMobileconfig("foo", "https://example.com", "foo&bar", "topic")
+	require.NoError(t, err)
+	require.Contains(t, string(b), "foo&amp;bar")
+}
+
 func mobileconfigForTest(name, identifier string) []byte {
 	return []byte(fmt.Sprintf(`<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">