Skip to content

[fix] Device name corrupted by in-place mutation in _get_common_name() during VPN cert provisioning #1296

Open
#1300
Open
[fix] Device name corrupted by in-place mutation in _get_common_name() during VPN cert provisioning#1296
#1300
@mn-ram

Description

@mn-ram
mn-ram
opened on Mar 17, 2026

Bug Report: In-place Mutation of Device Name in _get_common_name()

Description

The _get_common_name() function currently truncates long device names by mutating device.name directly.

Due to Django’s ForeignKey caching behavior, this modification affects the original in-memory Device instance, leading to silent data corruption during VPN certificate provisioning.

Steps to Reproduce

  1. Create a Device with a name exceeding the certificate Common Name (CN) length limit.
  2. Trigger VPN certificate provisioning for that device.
  3. Inspect the device.name attribute after provisioning.

Actual Behavior

  • device.name is unexpectedly modified (truncated) in memory.
  • This happens because _get_common_name() alters the original object instead of working on a copy.

Expected Behavior

  • device.name should remain unchanged.
  • Only the certificate’s Common Name (CN) should be truncated for compliance.

Related PR

Impact

  • Silent mutation of model instances
  • Potential inconsistencies across the application
  • Hard-to-debug side effects due to Django ORM caching

Suggested Fix

Avoid mutating the original device.name. Instead, operate on a derived value:

cn = device.name[:MAX_CN_LENGTH]

without modifying the device instance itself.

Benefit

Ensures data integrity, avoids unintended side effects, and aligns with Django best practices for immutable model handling in utility functions.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions