From deb5bea3ff9061b9c462a78d2bfb8767ddb3ab67 Mon Sep 17 00:00:00 2001
From: gillespi314 <73313222+gillespi314@users.noreply.github.com>
Date: Fri, 3 Mar 2023 12:59:21 -0600
Subject: [PATCH] Escape SCEP challenge for MDM enrollment profile XML (#10261)

---
 server/service/apple_mdm.go      | 8 +++++++-
 server/service/apple_mdm_test.go | 7 +++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/server/service/apple_mdm.go b/server/service/apple_mdm.go
index 0634b80bd9..f1943e8f42 100644
--- a/server/service/apple_mdm.go
+++ b/server/service/apple_mdm.go
@@ -5,6 +5,7 @@ import (
 	"context"
 	"encoding/base64"
 	"encoding/json"
+	"encoding/xml"
 	"errors"
 	"fmt"
 	"io"
@@ -1124,6 +1125,11 @@ func generateEnrollmentProfileMobileconfig(orgName, fleetURL, scepChallenge, top
 		return nil, fmt.Errorf("resolve Apple MDM url: %w", err)
 	}
 
+	var escaped strings.Builder
+	if err := xml.EscapeText(&escaped, []byte(scepChallenge)); err != nil {
+		return nil, fmt.Errorf("escape SCEP challenge for XML: %w", err)
+	}
+
 	var buf bytes.Buffer
 	if err := enrollmentProfileMobileconfigTemplate.Execute(&buf, struct {
 		Organization  string
@@ -1134,7 +1140,7 @@ func generateEnrollmentProfileMobileconfig(orgName, fleetURL, scepChallenge, top
 	}{
 		Organization:  orgName,
 		SCEPURL:       scepURL,
-		SCEPChallenge: scepChallenge,
+		SCEPChallenge: escaped.String(),
 		Topic:         topic,
 		ServerURL:     serverURL,
 	}); err != nil {
diff --git a/server/service/apple_mdm_test.go b/server/service/apple_mdm_test.go
index 51eb0094b0..4008fa79bf 100644
--- a/server/service/apple_mdm_test.go
+++ b/server/service/apple_mdm_test.go
@@ -1442,6 +1442,13 @@ func TestAppleMDMFileVaultEscrowFunctions(t *testing.T) {
 	require.ErrorIs(t, fleet.ErrMissingLicense, err)
 }
 
+func TestGenerateEnrollmentProfileMobileConfig(t *testing.T) {
+	// SCEP challenge should be escaped for XML
+	b, err := generateEnrollmentProfileMobileconfig("foo", "https://example.com", "foo&bar", "topic")
+	require.NoError(t, err)
+	require.Contains(t, string(b), "foo&amp;bar")
+}
+
 func mobileconfigForTest(name, identifier string) []byte {
 	return []byte(fmt.Sprintf(`<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">