CVE-2026-34762

@@ -24,6 +24,12 @@ type CreateDataNetworkParams struct {
 	MTU    int32  `json:"mtu,omitempty"`
 }
 
+type UpdateDataNetworkParams struct {
+	IPPool string `json:"ip_pool,omitempty"`
+	DNS    string `json:"dns,omitempty"`
+	MTU    int32  `json:"mtu,omitempty"`
+}
+
 type DataNetworkStatus struct {
 	Sessions int `json:"sessions"`
 }
@@ -259,20 +265,20 @@ func UpdateDataNetwork(dbInstance *db.Database, cfg config.Config, bgpService *b
 			return
 		}
 
-		var updateDataNetworkParams CreateDataNetworkParams
+		var updateDataNetworkParams UpdateDataNetworkParams
 
 		if err := json.NewDecoder(r.Body).Decode(&updateDataNetworkParams); err != nil {
 			writeError(r.Context(), w, http.StatusBadRequest, "Invalid request data", err, logger.APILog)
 			return
 		}
 
-		if err := validateDataNetworkParams(updateDataNetworkParams); err != nil {
+		if err := validateUpdateDataNetworkParams(updateDataNetworkParams); err != nil {
 			writeError(r.Context(), w, http.StatusBadRequest, err.Error(), nil, logger.APILog)
 			return
 		}
 
 		dn := &db.DataNetwork{
-			Name:   updateDataNetworkParams.Name,
+			Name:   name,
 			IPPool: updateDataNetworkParams.IPPool,
 			DNS:    updateDataNetworkParams.DNS,
 			MTU:    updateDataNetworkParams.MTU,
@@ -293,7 +299,7 @@ func UpdateDataNetwork(dbInstance *db.Database, cfg config.Config, bgpService *b
 
 		writeResponse(r.Context(), w, SuccessResponse{Message: "Data Network updated successfully"}, http.StatusOK, logger.APILog)
 
-		logger.LogAuditEvent(r.Context(), UpdateDataNetworkAction, email, getClientIP(r), "User updated data network: "+updateDataNetworkParams.Name)
+		logger.LogAuditEvent(r.Context(), UpdateDataNetworkAction, email, getClientIP(r), "User updated data network: "+name)
 	})
 }
 
@@ -338,6 +344,25 @@ func validateDataNetworkParams(p CreateDataNetworkParams) error {
 	return nil
 }
 
+func validateUpdateDataNetworkParams(p UpdateDataNetworkParams) error {
+	switch {
+	case p.IPPool == "":
+		return errors.New("ip_pool is missing")
+	case p.DNS == "":
+		return errors.New("dns is missing")
+	case p.MTU == 0:
+		return errors.New("mtu is missing")
+	case !isUeIPPoolValid(p.IPPool):
+		return errors.New("invalid ip_pool format, must be in CIDR format")
+	case !isValidDNS(p.DNS):
+		return errors.New("invalid dns format, must be a valid IP address")
+	case !isValidMTU(p.MTU):
+		return errors.New("invalid mtu format, must be an integer between 0 and 65535")
+	}
+
+	return nil
+}
+
 // rebuildBGPFilter rebuilds the BGP safety rejection filter from the current
 // data networks and interface configuration and applies it to the BGP service.
 // It is called after data network create/update/delete operations.

@@ -45,6 +45,12 @@ type CreateDataNetworkResponse struct {
 	Error  string                          `json:"error,omitempty"`
 }
 
+type UpdateDataNetworkParams struct {
+	IPPool string `json:"ip_pool,omitempty"`
+	DNS    string `json:"dns,omitempty"`
+	MTU    int32  `json:"mtu,omitempty"`
+}
+
 type DeleteDataNetworkResponseResult struct {
 	Message string `json:"message"`
 }
@@ -153,7 +159,7 @@ func createDataNetwork(url string, client *http.Client, token string, data *Crea
 	return res.StatusCode, &createResponse, nil
 }
 
-func editDataNetwork(url string, client *http.Client, name string, token string, data *CreateDataNetworkParams) (int, *CreateDataNetworkResponse, error) {
+func editDataNetwork(url string, client *http.Client, name string, token string, data *UpdateDataNetworkParams) (int, *CreateDataNetworkResponse, error) {
 	body, err := json.Marshal(data)
 	if err != nil {
 		return 0, nil, err
@@ -356,14 +362,13 @@ func TestAPIDataNetworksEndToEnd(t *testing.T) {
 	})
 
 	t.Run("8. Edit data network - success", func(t *testing.T) {
-		createDataNetworkParams := &CreateDataNetworkParams{
-			Name:   DataNetworkName,
+		updateDataNetworkParams := &UpdateDataNetworkParams{
 			DNS:    "2.2.2.2",
 			IPPool: "1.1.1.0/29",
 			MTU:    1400,
 		}
 
-		statusCode, response, err := editDataNetwork(env.Server.URL, client, DataNetworkName, token, createDataNetworkParams)
+		statusCode, response, err := editDataNetwork(env.Server.URL, client, DataNetworkName, token, updateDataNetworkParams)
 		if err != nil {
 			t.Fatalf("couldn't edit data network: %s", err)
 		}
@@ -479,8 +484,7 @@ func TestEditInexistentDataNetwork(t *testing.T) {
 		t.Fatalf("couldn't create first user and login: %s", err)
 	}
 
-	editDataNetworkParams := &CreateDataNetworkParams{
-		Name:   "inexistent-dn",
+	editDataNetworkParams := &UpdateDataNetworkParams{
 		IPPool: IPPool,
 		DNS:    DNS,
 		MTU:    MTU,
@@ -500,6 +504,91 @@ func TestEditInexistentDataNetwork(t *testing.T) {
 	}
 }
 
+// TestUpdateDataNetworkPathBodyMismatch verifies that the path name is used
+// for the DB update instead of any name sent in the request body.
+func TestUpdateDataNetworkPathBodyMismatch(t *testing.T) {
+	tempDir := t.TempDir()
+	dbPath := filepath.Join(tempDir, "db.sqlite3")
+
+	env, err := setupServer(dbPath)
+	if err != nil {
+		t.Fatalf("couldn't create test server: %s", err)
+	}
+	defer env.Server.Close()
+
+	client := newTestClient(env.Server)
+
+	token, err := initializeAndRefresh(env.Server.URL, client)
+	if err != nil {
+		t.Fatalf("couldn't create first user and login: %s", err)
+	}
+
+	// Create a data network.
+	_, _, err = createDataNetwork(env.Server.URL, client, token, &CreateDataNetworkParams{
+		Name: "real-dn", IPPool: IPPool, DNS: DNS, MTU: MTU,
+	})
+	if err != nil {
+		t.Fatalf("couldn't create data network: %s", err)
+	}
+
+	// Update with a different name in the body than the path.
+	updateParams := &UpdateDataNetworkParams{
+		IPPool: "10.0.0.0/24",
+		DNS:    "8.8.8.8",
+		MTU:    1400,
+	}
+
+	statusCode, response, err := editDataNetwork(env.Server.URL, client, "real-dn", token, updateParams)
+	if err != nil {
+		t.Fatalf("couldn't edit data network: %s", err)
+	}
+
+	if statusCode != http.StatusOK {
+		t.Fatalf("expected status %d, got %d (error: %s)", http.StatusOK, statusCode, response.Error)
+	}
+
+	// Verify the real data network was updated (looked up by path name).
+	getStatus, getResp, err := getDataNetwork(env.Server.URL, client, token, "real-dn")
+	if err != nil {
+		t.Fatalf("couldn't get data network: %s", err)
+	}
+
+	if getStatus != http.StatusOK {
+		t.Fatalf("expected status %d, got %d", http.StatusOK, getStatus)
+	}
+
+	if getResp.Result.MTU != 1400 {
+		t.Fatalf("expected MTU 1400, got %d", getResp.Result.MTU)
+	}
+
+	// Verify the audit log references the path name, not the body name.
+	_, auditResp, err := listAuditLogs(env.Server.URL, client, token, 1, 100)
+	if err != nil {
+		t.Fatalf("couldn't list audit logs: %s", err)
+	}
+
+	var found bool
+
+	for _, entry := range auditResp.Result.Items {
+		if entry.Action != "update_data_network" {
+			continue
+		}
+
+		found = true
+
+		expected := "User updated data network: real-dn"
+		if entry.Details != expected {
+			t.Errorf("audit log records wrong name: got %q, want %q", entry.Details, expected)
+		}
+
+		break
+	}
+
+	if !found {
+		t.Fatal("no update_data_network audit entry found")
+	}
+}
+
 func TestCreateDataNetworkInvalidInput(t *testing.T) {
 	tempDir := t.TempDir()
 	dbPath := filepath.Join(tempDir, "db.sqlite3")

@@ -21,6 +21,14 @@ type CreatePolicyParams struct {
 	DataNetworkName string `json:"data_network_name,omitempty"`
 }
 
+type UpdatePolicyParams struct {
+	BitrateUplink   string `json:"bitrate_uplink,omitempty"`
+	BitrateDownlink string `json:"bitrate_downlink,omitempty"`
+	Var5qi          int32  `json:"var5qi,omitempty"`
+	Arp             int32  `json:"arp,omitempty"`
+	DataNetworkName string `json:"data_network_name,omitempty"`
+}
+
 type Policy struct {
 	Name            string `json:"name"`
 	BitrateUplink   string `json:"bitrate_uplink,omitempty"`
@@ -298,14 +306,14 @@ func UpdatePolicy(dbInstance *db.Database) http.Handler {
 			return
 		}
 
-		var updatePolicyParams CreatePolicyParams
+		var updatePolicyParams UpdatePolicyParams
 
 		if err := json.NewDecoder(r.Body).Decode(&updatePolicyParams); err != nil {
 			writeError(r.Context(), w, http.StatusBadRequest, "Invalid request data", err, logger.APILog)
 			return
 		}
 
-		if err := validatePolicyParams(updatePolicyParams); err != nil {
+		if err := validateUpdatePolicyParams(updatePolicyParams); err != nil {
 			writeError(r.Context(), w, http.StatusBadRequest, err.Error(), nil, logger.APILog)
 			return
 		}
@@ -322,7 +330,7 @@ func UpdatePolicy(dbInstance *db.Database) http.Handler {
 			return
 		}
 
-		policy.Name = updatePolicyParams.Name
+		policy.Name = policyName
 		policy.BitrateDownlink = updatePolicyParams.BitrateDownlink
 		policy.BitrateUplink = updatePolicyParams.BitrateUplink
 		policy.Var5qi = updatePolicyParams.Var5qi
@@ -335,7 +343,7 @@ func UpdatePolicy(dbInstance *db.Database) http.Handler {
 		}
 
 		writeResponse(r.Context(), w, SuccessResponse{Message: "Policy updated successfully"}, http.StatusOK, logger.APILog)
-		logger.LogAuditEvent(r.Context(), UpdatePolicyAction, email, getClientIP(r), "User updated policy: "+updatePolicyParams.Name)
+		logger.LogAuditEvent(r.Context(), UpdatePolicyAction, email, getClientIP(r), "User updated policy: "+policyName)
 	})
 }
 
@@ -367,3 +375,28 @@ func validatePolicyParams(p CreatePolicyParams) error {
 
 	return nil
 }
+
+func validateUpdatePolicyParams(p UpdatePolicyParams) error {
+	switch {
+	case p.DataNetworkName == "":
+		return errors.New("data_network_name is missing")
+	case p.BitrateUplink == "":
+		return errors.New("bitrate_uplink is missing")
+	case p.BitrateDownlink == "":
+		return errors.New("bitrate_downlink is missing")
+	case p.Var5qi == 0:
+		return errors.New("Var5qi is missing")
+	case p.Arp == 0:
+		return errors.New("arp is missing")
+	case !isValidBitrate(p.BitrateUplink):
+		return errors.New("invalid bitrate_uplink format - must be in the format `<number> <unit>`, allowed units are Mbps, Gbps")
+	case !isValidBitrate(p.BitrateDownlink):
+		return errors.New("invalid bitrate_downlink format - must be in the format `<number> <unit>`, allowed units are Mbps, Gbps")
+	case !isValid5Qi(p.Var5qi):
+		return errors.New("invalid Var5qi format - must be an integer associated with a non-GBR 5QI")
+	case !isValidArp(p.Arp):
+		return errors.New("invalid arp format - must be an integer between 1 and 255")
+	}
+
+	return nil
+}

@@ -50,6 +50,14 @@ type CreatePolicyResponse struct {
 	Error  string                     `json:"error,omitempty"`
 }
 
+type UpdatePolicyParams struct {
+	BitrateUplink   string `json:"bitrate_uplink,omitempty"`
+	BitrateDownlink string `json:"bitrate_downlink,omitempty"`
+	Var5qi          int32  `json:"var5qi,omitempty"`
+	Arp             int32  `json:"arp,omitempty"`
+	DataNetworkName string `json:"data_network_name,omitempty"`
+}
+
 type DeletePolicyResponseResult struct {
 	Message string `json:"message"`
 }
@@ -157,7 +165,7 @@ func createPolicy(url string, client *http.Client, token string, data *CreatePol
 	return res.StatusCode, &createResponse, nil
 }
 
-func editPolicy(url string, client *http.Client, name string, token string, data *CreatePolicyParams) (int, *CreatePolicyResponse, error) {
+func editPolicy(url string, client *http.Client, name string, token string, data *UpdatePolicyParams) (int, *CreatePolicyResponse, error) {
 	body, err := json.Marshal(data)
 	if err != nil {
 		return 0, nil, err
@@ -396,16 +404,15 @@ func TestAPIPoliciesEndToEnd(t *testing.T) {
 	})
 
 	t.Run("8. Edit policy - success", func(t *testing.T) {
-		createPolicyParams := &CreatePolicyParams{
-			Name:            PolicyName,
+		updatePolicyParams := &UpdatePolicyParams{
 			BitrateUplink:   "100 Mbps",
 			BitrateDownlink: "200 Mbps",
 			Var5qi:          6,
 			Arp:             3,
 			DataNetworkName: DataNetworkName,
 		}
 
-		statusCode, response, err := editPolicy(env.Server.URL, client, PolicyName, token, createPolicyParams)
+		statusCode, response, err := editPolicy(env.Server.URL, client, PolicyName, token, updatePolicyParams)
 		if err != nil {
 			t.Fatalf("couldn't edit policy: %s", err)
 		}
@@ -502,6 +509,101 @@ func TestAPIPoliciesEndToEnd(t *testing.T) {
 	})
 }
 
+// TestUpdatePolicyPathBodyMismatch verifies that the path name is used
+// for the DB update instead of any name sent in the request body.
+func TestUpdatePolicyPathBodyMismatch(t *testing.T) {
+	tempDir := t.TempDir()
+	dbPath := filepath.Join(tempDir, "db.sqlite3")
+
+	env, err := setupServer(dbPath)
+	if err != nil {
+		t.Fatalf("couldn't create test server: %s", err)
+	}
+	defer env.Server.Close()
+
+	client := newTestClient(env.Server)
+
+	token, err := initializeAndRefresh(env.Server.URL, client)
+	if err != nil {
+		t.Fatalf("couldn't create first user and login: %s", err)
+	}
+
+	// Create data network and policy.
+	_, _, err = createDataNetwork(env.Server.URL, client, token, &CreateDataNetworkParams{
+		Name: DataNetworkName, MTU: MTU, IPPool: IPPool, DNS: DNS,
+	})
+	if err != nil {
+		t.Fatalf("couldn't create data network: %s", err)
+	}
+
+	_, _, err = createPolicy(env.Server.URL, client, token, &CreatePolicyParams{
+		Name: "real-policy", BitrateUplink: "100 Mbps", BitrateDownlink: "100 Mbps",
+		Var5qi: 9, Arp: 1, DataNetworkName: DataNetworkName,
+	})
+	if err != nil {
+		t.Fatalf("couldn't create policy: %s", err)
+	}
+
+	// Update with a different name in the body than the path.
+	updateParams := &UpdatePolicyParams{
+		BitrateUplink:   "50 Mbps",
+		BitrateDownlink: "50 Mbps",
+		Var5qi:          6,
+		Arp:             2,
+		DataNetworkName: DataNetworkName,
+	}
+
+	statusCode, response, err := editPolicy(env.Server.URL, client, "real-policy", token, updateParams)
+	if err != nil {
+		t.Fatalf("couldn't edit policy: %s", err)
+	}
+
+	if statusCode != http.StatusOK {
+		t.Fatalf("expected status %d, got %d (error: %s)", http.StatusOK, statusCode, response.Error)
+	}
+
+	// Verify the real policy was updated (looked up by path name).
+	getStatus, getResp, err := getPolicy(env.Server.URL, client, token, "real-policy")
+	if err != nil {
+		t.Fatalf("couldn't get policy: %s", err)
+	}
+
+	if getStatus != http.StatusOK {
+		t.Fatalf("expected status %d, got %d", http.StatusOK, getStatus)
+	}
+
+	if getResp.Result.Arp != 2 {
+		t.Fatalf("expected arp 2, got %d", getResp.Result.Arp)
+	}
+
+	// Verify the audit log references the path name, not the body name.
+	_, auditResp, err := listAuditLogs(env.Server.URL, client, token, 1, 100)
+	if err != nil {
+		t.Fatalf("couldn't list audit logs: %s", err)
+	}
+
+	var found bool
+
+	for _, entry := range auditResp.Result.Items {
+		if entry.Action != "update_policy" {
+			continue
+		}
+
+		found = true
+
+		expected := "User updated policy: real-policy"
+		if entry.Details != expected {
+			t.Errorf("audit log records wrong name: got %q, want %q", entry.Details, expected)
+		}
+
+		break
+	}
+
+	if !found {
+		t.Fatal("no update_policy audit entry found")
+	}
+}
+
 func TestCreatePolicyInvalidInput(t *testing.T) {
 	tempDir := t.TempDir()
 	dbPath := filepath.Join(tempDir, "db.sqlite3")

@@ -26,7 +26,6 @@ type CreateSubscriberParams struct {
 }
 
 type UpdateSubscriberParams struct {
-	Imsi       string `json:"imsi"`
 	PolicyName string `json:"policyName"`
 }
 
@@ -543,29 +542,19 @@ func UpdateSubscriber(dbInstance *db.Database) http.Handler {
 			return
 		}
 
-		if params.Imsi == "" {
-			writeError(r.Context(), w, http.StatusBadRequest, "Missing imsi parameter", errors.New("validation error"), logger.APILog)
-			return
-		}
-
 		if params.PolicyName == "" {
 			writeError(r.Context(), w, http.StatusBadRequest, "Missing policyName parameter", errors.New("validation error"), logger.APILog)
 			return
 		}
 
-		if !isImsiValid(r.Context(), params.Imsi, dbInstance) {
-			writeError(r.Context(), w, http.StatusBadRequest, "Invalid IMSI", errors.New("validation error"), logger.APILog)
-			return
-		}
-
 		policy, err := dbInstance.GetPolicy(r.Context(), params.PolicyName)
 		if err != nil {
 			writeError(r.Context(), w, http.StatusNotFound, "Policy not found", nil, logger.APILog)
 			return
 		}
 
 		updated := &db.Subscriber{
-			Imsi:     params.Imsi,
+			Imsi:     imsi,
 			PolicyID: policy.ID,
 		}
 		if err := dbInstance.UpdateSubscriberPolicy(r.Context(), updated); err != nil {

@@ -668,26 +668,6 @@ func TestSubscribersApiEndToEnd(t *testing.T) {
 		}
 	})
 
-	t.Run("10. Update subscriber - missing imsi in body", func(t *testing.T) {
-		updateParams := &UpdateSubscriberParams{
-			Imsi:       "",
-			PolicyName: PolicyName,
-		}
-
-		statusCode, response, err := updateSubscriber(env.Server.URL, client, token, Imsi, updateParams)
-		if err != nil {
-			t.Fatalf("couldn't update subscriber: %s", err)
-		}
-
-		if statusCode != http.StatusBadRequest {
-			t.Fatalf("expected status %d, got %d", http.StatusBadRequest, statusCode)
-		}
-
-		if response.Error != "Missing imsi parameter" {
-			t.Fatalf("expected error 'Missing imsi parameter', got %q", response.Error)
-		}
-	})
-
 	t.Run("5f. Update subscriber - missing policy name", func(t *testing.T) {
 		updateParams := &UpdateSubscriberParams{
 			Imsi:       Imsi,
@@ -708,7 +688,7 @@ func TestSubscribersApiEndToEnd(t *testing.T) {
 		}
 	})
 
-	t.Run("11. Update subscriber - invalid imsi", func(t *testing.T) {
+	t.Run("11. Update subscriber - not found", func(t *testing.T) {
 		updateParams := &UpdateSubscriberParams{
 			Imsi:       "invalid-imsi",
 			PolicyName: PolicyName,
@@ -719,12 +699,12 @@ func TestSubscribersApiEndToEnd(t *testing.T) {
 			t.Fatalf("couldn't update subscriber: %s", err)
 		}
 
-		if statusCode != http.StatusBadRequest {
-			t.Fatalf("expected status %d, got %d", http.StatusBadRequest, statusCode)
+		if statusCode != http.StatusNotFound {
+			t.Fatalf("expected status %d, got %d", http.StatusNotFound, statusCode)
 		}
 
-		if response.Error != "Invalid IMSI" {
-			t.Fatalf("expected error 'Invalid IMSI', got %q", response.Error)
+		if response.Error != "Subscriber not found" {
+			t.Fatalf("expected error 'Subscriber not found', got %q", response.Error)
 		}
 	})
 

@@ -1143,7 +1143,7 @@ paths:
         content:
           application/json:
             schema:
-              $ref: "#/components/schemas/CreatePolicyParams"
+              $ref: "#/components/schemas/UpdatePolicyParams"
       responses:
         "200":
           $ref: "#/components/responses/Success"
@@ -1518,7 +1518,7 @@ paths:
         content:
           application/json:
             schema:
-              $ref: "#/components/schemas/CreateDataNetworkParams"
+              $ref: "#/components/schemas/UpdateDataNetworkParams"
       responses:
         "200":
           $ref: "#/components/responses/Success"
@@ -2957,10 +2957,8 @@ components:
 
     UpdateSubscriberParams:
       type: object
-      required: [imsi, policyName]
+      required: [policyName]
       properties:
-        imsi:
-          type: string
         policyName:
           type: string
           description: Name of an existing QoS policy.
@@ -3068,6 +3066,27 @@ components:
           type: string
           description: Name of an existing data network.
 
+    UpdatePolicyParams:
+      type: object
+      required: [bitrate_uplink, bitrate_downlink, var5qi, arp, data_network_name]
+      properties:
+        bitrate_uplink:
+          type: string
+          description: "e.g. \"100 Mbps\""
+        bitrate_downlink:
+          type: string
+          description: "e.g. \"200 Mbps\""
+        var5qi:
+          type: integer
+          enum: [5, 6, 7, 8, 9, 69, 70, 79, 80]
+        arp:
+          type: integer
+          minimum: 1
+          maximum: 15
+        data_network_name:
+          type: string
+          description: Name of an existing data network.
+
     # ── Operator ────────────────────────────────────────────────────────
     OperatorID:
       type: object
@@ -3367,6 +3386,21 @@ components:
           minimum: 0
           maximum: 65535
 
+    UpdateDataNetworkParams:
+      type: object
+      required: [ip_pool, dns, mtu]
+      properties:
+        ip_pool:
+          type: string
+          description: "CIDR notation (e.g. \"10.0.0.0/24\")."
+        dns:
+          type: string
+          description: DNS server IP address.
+        mtu:
+          type: integer
+          minimum: 0
+          maximum: 65535
+
     # ── Routes ──────────────────────────────────────────────────────────
     Route:
       type: object

@@ -70,7 +70,6 @@ export const updatePolicy = async (
     method: "PUT",
     authToken,
     body: {
-      name,
       bitrate_uplink: bitrateUplink,
       bitrate_downlink: bitrateDownlink,
       var5qi,

@@ -111,7 +111,7 @@ export const updateSubscriber = async (
   await apiFetchVoid(`/api/v1/subscribers/${imsi}`, {
     method: "PUT",
     authToken,
-    body: { imsi, policyName },
+    body: { policyName },
   });
 };