fix: added input validator for dnsSuffix

[shaoboon]

PR Checklist

• Unit Tests have been added for new changes
• API tests have been updated if applicable
• All commented code has been removed
• If you've added a dependency, you've ensured license is compatible with Apache 2.0 and clearly outlined the added dependency.

What are you changing?

• added input validator for dnsSuffix
• added unit test for dnsSuffix validator
• added MPS API postman tests as follow
  1. Create Device with invalid dnsSuffix query injection (negative, expect 400)
  2. Create Device with non-string dnsSuffix (negative, expect 400)
  3. Update Device with invalid dnsSuffix query injection (negative, expect 400)
  4. Update Device with invalid dnsSuffix length (negative, expect 400)
  5. Update Device with empty dnsSuffix (positive, expect 200)
  6. Update Device with null dnsSuffix (positive, expect 200)
  7. Update Device with trailing-dot dnsSuffix (positive, expect 200)
  8. Update Device with single-label dnsSuffix (positive, expect 200)

Anything the reviewer should know when reviewing this PR?

• PR to fix [Bug][Fuzz]: Query string injection accepted and stored in PATCH /api/v1/devices dnsSuffix field #2389

Testing

MPS return 400 instead of 200

2026-03-18 06:28:16.093: Sending: 'PATCH /api/v1/devices HTTP/1.1\r\nAccept: application/json\r\nHost: device-management-toolkit-mps-1:3000\r\nContent-Type: application/json\r\nContent-Length: 199\r\nUser-Agent: restler/9.3.1\r\nx-restler-sequence-id: 11d6f8b6-09dc-48e0-8dee-87825e9e6897\r\n\r\n{\n    "guid":"123e4567-e89b-12d3-a456-426614174000",\n    "hostname":"AMTDEVICENUC1",\n    "dnsSuffix":"None?injected_query_string=123",\n    "friendlyName":"store12pos2",\n    "tags":["tag1", "tag2"]}\r\n'

2026-03-18 06:28:16.096: Received: 'HTTP/1.1 400 Bad Request\r\nX-Powered-By: Express\r\nAccess-Control-Allow-Origin: *\r\nContent-Type: application/json; charset=utf-8\r\nContent-Length: 152\r\nETag: W/"98-PoDfLW3A8aDc5CvA9FUeIGklUPY"\r\nDate: Wed, 18 Mar 2026 06:28:16 GMT\r\nConnection: keep-alive\r\nKeep-Alive: timeout=5\r\n\r\n{"errors":[{"type":"field","value":"None?injected_query_string=123","msg":"dnsSuffix must be a valid DNS suffix","path":"dnsSuffix","location":"body"}]}'

If the there are associated PRs in other repositories, please link them here (i.e. device-management-toolkit/repo#365 )

[Copilot]

Pull request overview

Adds server-side validation for the dnsSuffix field on device create/update routes to prevent query-string injection (issue #2389), along with a focused unit test for the new validator behavior.

Changes:

• Add dnsSuffix validation to the existing devices request validator (length + FQDN).
• Add a new unit test suite covering valid/null/invalid dnsSuffix values.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
src/routes/devices/deviceValidator.ts	Introduces dnsSuffix validation using express-validator (isLength + isFQDN).
src/routes/devices/deviceValidator.test.ts	Adds unit tests to exercise the new dnsSuffix validation chain.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[rsdmike]

Thanks for this! would like to see a postman api test call update to cover some of the enhanced validation. but will approve nonetheless.

[shaoboon]

Thanks for this! would like to see a postman api test call update to cover some of the enhanced validation. but will approve nonetheless.

good call, I have added total of 8 API tests (positive and negative) into the collection and the CI is passed.

[RosieAMT]

🎉 This PR is included in version 2.26.5 🎉

The release is available on:

• GitHub release
• v2.26.5

Your semantic-release bot 📦🚀