fix: added input validator for dnsSuffix

[shaoboon]

PR Checklist

• Unit Tests have been added for new changes
• API tests have been updated if applicable
• All commented code has been removed
• If you've added a dependency, you've ensured license is compatible with Apache 2.0 and clearly outlined the added dependency.

What are you changing?

• added input validator for dnsSuffix
• added unit test for dnsSuffix validator

Anything the reviewer should know when reviewing this PR?

• PR to fix [Bug][Fuzz]: Query string injection accepted and stored in PATCH /api/v1/devices dnsSuffix field #2389

Testing

MPS return 400 instead of 200

2026-03-18 06:28:16.093: Sending: 'PATCH /api/v1/devices HTTP/1.1\r\nAccept: application/json\r\nHost: device-management-toolkit-mps-1:3000\r\nContent-Type: application/json\r\nContent-Length: 199\r\nUser-Agent: restler/9.3.1\r\nx-restler-sequence-id: 11d6f8b6-09dc-48e0-8dee-87825e9e6897\r\n\r\n{\n    "guid":"123e4567-e89b-12d3-a456-426614174000",\n    "hostname":"AMTDEVICENUC1",\n    "dnsSuffix":"None?injected_query_string=123",\n    "friendlyName":"store12pos2",\n    "tags":["tag1", "tag2"]}\r\n'

2026-03-18 06:28:16.096: Received: 'HTTP/1.1 400 Bad Request\r\nX-Powered-By: Express\r\nAccess-Control-Allow-Origin: *\r\nContent-Type: application/json; charset=utf-8\r\nContent-Length: 152\r\nETag: W/"98-PoDfLW3A8aDc5CvA9FUeIGklUPY"\r\nDate: Wed, 18 Mar 2026 06:28:16 GMT\r\nConnection: keep-alive\r\nKeep-Alive: timeout=5\r\n\r\n{"errors":[{"type":"field","value":"None?injected_query_string=123","msg":"dnsSuffix must be a valid DNS suffix","path":"dnsSuffix","location":"body"}]}'

If the there are associated PRs in other repositories, please link them here (i.e. device-management-toolkit/repo#365 )

[Copilot]

Pull request overview

Adds server-side validation for the dnsSuffix field on device create/update routes to prevent query-string injection (issue #2389), along with a focused unit test for the new validator behavior.

Changes:

• Add dnsSuffix validation to the existing devices request validator (length + FQDN).
• Add a new unit test suite covering valid/null/invalid dnsSuffix values.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
src/routes/devices/deviceValidator.ts	Introduces dnsSuffix validation using express-validator (isLength + isFQDN).
src/routes/devices/deviceValidator.test.ts	Adds unit tests to exercise the new dnsSuffix validation chain.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.