fix: Also set inValidNode when CSP starts with comment (#27376)

Addresses https://github.com/fleetdm/fleet/issues/26443#issuecomment-2737439271 after https://github.com/fleetdm/fleet/pull/27176 was merged. # Checklist for submitter If some of the following don't apply, delete the relevant line.  - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - I did this in https://github.com/fleetdm/fleet/pull/27176, same change message. - [x] Added/updated automated tests - [x] Manual QA for all new/changed functionality
2026-05-22 08:28:52 +00:00 · 2025-03-21 08:34:12 -04:00 · 2025-03-21 08:34:12 -04:00 · e187b02c62
commit e187b02c62
parent 4a1e5340f0
2 changed files with 28 additions and 0 deletions
--- a/server/fleet/windows_mdm.go
+++ b/server/fleet/windows_mdm.go
@ -79,6 +79,7 @@ func (m *MDMWindowsConfigProfile) ValidateUserProvided() error {
 	// structure (Target>Item>LocURI) so we don't need to track all the tags.
 	var inValidNode bool
 	var inLocURI bool
+	var inComment bool

 	for {
 		tok, err := dec.Token()
@ -97,9 +98,19 @@ func (m *MDMWindowsConfigProfile) ValidateUserProvided() error {
 			return errors.New("The file should include valid XML: processing instructions are not allowed.")

 		case xml.Comment:
+			inComment = true
 			continue

 		case xml.StartElement:
+			// Top-level comments should be followed by <Replace> or <Add> elements
+			if inComment {
+				if !inValidNode && t.Name.Local != "Replace" && t.Name.Local != "Add" {
+					return errors.New("Windows configuration profiles can only have <Replace> or <Add> top level elements after comments")
+				}
+				inValidNode = true
+				inComment = false
+			}
+
 			switch t.Name.Local {
 			case "Replace", "Add":
 				inValidNode = true
--- a/server/fleet/windows_mdm_test.go
+++ b/server/fleet/windows_mdm_test.go
@ -422,6 +422,23 @@ func TestValidateUserProvided(t *testing.T) {
 			},
 			wantErr: "",
 		},
+		{
+			name: "XML with top level comment followed by invalid element",
+			profile: MDMWindowsConfigProfile{
+				SyncML: []byte(`
+				  <!-- this is a comment -->
+				  <!-- this is another comment -->
+				  <LocURI>Custom/URI</LocURI>
+				  <Replace>
+				  <!-- this is a comment inside replace -->
+				    <Target>
+				      <LocURI>Custom/URI</LocURI>
+				    </Target>
+				  </Replace>
+				`),
+			},
+			wantErr: "Windows configuration profiles can only have <Replace> or <Add> top level elements after comments",
+		},
 		{
 			name: "XML with nested root element in data",
 			profile: MDMWindowsConfigProfile{