From e187b02c62bf94c843b2e4fcd199152b6af52003 Mon Sep 17 00:00:00 2001
From: Dan Tsekhanskiy <28414793+TsekNet@users.noreply.github.com>
Date: Fri, 21 Mar 2025 08:34:12 -0400
Subject: [PATCH] fix: Also set `inValidNode` when CSP starts with comment
 (#27376)

Addresses
https://github.com/fleetdm/fleet/issues/26443#issuecomment-2737439271
after https://github.com/fleetdm/fleet/pull/27176 was merged.

# Checklist for submitter

If some of the following don't apply, delete the relevant line.

<!-- Note that API documentation changes are now addressed by the
product design team. -->

- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- I did this in https://github.com/fleetdm/fleet/pull/27176, same change
message.
- [x] Added/updated automated tests
- [x] Manual QA for all new/changed functionality
---
 server/fleet/windows_mdm.go      | 11 +++++++++++
 server/fleet/windows_mdm_test.go | 17 +++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/server/fleet/windows_mdm.go b/server/fleet/windows_mdm.go
index 901235b835..c06e18e1fe 100644
--- a/server/fleet/windows_mdm.go
+++ b/server/fleet/windows_mdm.go
@@ -79,6 +79,7 @@ func (m *MDMWindowsConfigProfile) ValidateUserProvided() error {
 	// structure (Target>Item>LocURI) so we don't need to track all the tags.
 	var inValidNode bool
 	var inLocURI bool
+	var inComment bool
 
 	for {
 		tok, err := dec.Token()
@@ -97,9 +98,19 @@ func (m *MDMWindowsConfigProfile) ValidateUserProvided() error {
 			return errors.New("The file should include valid XML: processing instructions are not allowed.")
 
 		case xml.Comment:
+			inComment = true
 			continue
 
 		case xml.StartElement:
+			// Top-level comments should be followed by <Replace> or <Add> elements
+			if inComment {
+				if !inValidNode && t.Name.Local != "Replace" && t.Name.Local != "Add" {
+					return errors.New("Windows configuration profiles can only have <Replace> or <Add> top level elements after comments")
+				}
+				inValidNode = true
+				inComment = false
+			}
+
 			switch t.Name.Local {
 			case "Replace", "Add":
 				inValidNode = true
diff --git a/server/fleet/windows_mdm_test.go b/server/fleet/windows_mdm_test.go
index 2738e703fa..93f56f8b0a 100644
--- a/server/fleet/windows_mdm_test.go
+++ b/server/fleet/windows_mdm_test.go
@@ -422,6 +422,23 @@ func TestValidateUserProvided(t *testing.T) {
 			},
 			wantErr: "",
 		},
+		{
+			name: "XML with top level comment followed by invalid element",
+			profile: MDMWindowsConfigProfile{
+				SyncML: []byte(`
+				  <!-- this is a comment -->
+				  <!-- this is another comment -->
+				  <LocURI>Custom/URI</LocURI>
+				  <Replace>
+				  <!-- this is a comment inside replace -->
+				    <Target>
+				      <LocURI>Custom/URI</LocURI>
+				    </Target>
+				  </Replace>
+				`),
+			},
+			wantErr: "Windows configuration profiles can only have <Replace> or <Add> top level elements after comments",
+		},
 		{
 			name: "XML with nested root element in data",
 			profile: MDMWindowsConfigProfile{