MM-37691: Harden interactive dialog action (#22783)

We strengthen some checks, forcing them to be changed only via config. https://mattermost.atlassian.net/browse/MM-37691 ```release-note NONE ``` Co-authored-by: Mattermost Build <build@mattermost.com>
2025-02-25 18:55:24 -06:00 · 2023-05-04 15:08:55 +05:30 · 2023-05-04 15:08:55 +05:30 · efbee8ad56
commit efbee8ad56
parent 3afd2ec549
2 changed files with 8 additions and 1 deletions
--- a/server/channels/app/integration_action.go
+++ b/server/channels/app/integration_action.go
@ -332,7 +332,7 @@ func (a *App) DoActionRequest(c *request.Context, rawURL string, body []byte) (*
 	var httpClient *http.Client
 	subpath, _ := utils.GetSubpathFromConfig(a.Config())
 	siteURL, _ := url.Parse(*a.Config().ServiceSettings.SiteURL)
-	if (inURL.Hostname() == "localhost" || inURL.Hostname() == "127.0.0.1" || inURL.Hostname() == siteURL.Hostname()) && strings.HasPrefix(inURL.Path, path.Join(subpath, "plugins")) {
+	if inURL.Hostname() == siteURL.Hostname() && strings.HasPrefix(inURL.Path, path.Join(subpath, "plugins")) {
 		req.Header.Set(model.HeaderAuth, "Bearer "+c.Session().Token)
 		httpClient = a.HTTPService().MakeClient(true)
 	} else {
--- a/server/channels/app/integration_action_test.go
+++ b/server/channels/app/integration_action_test.go
@ -313,6 +313,13 @@ func TestPostAction(t *testing.T) {
 			attachmentsPlugin, ok := postplugin.GetProp("attachments").([]*model.SlackAttachment)
 			require.True(t, ok)

+			_, err = th.App.DoPostAction(th.Context, postplugin.Id, attachmentsPlugin[0].Actions[0].Id, th.BasicUser.Id, "")
+			require.Equal(t, "api.post.do_action.action_integration.app_error", err.Id)
+
+			th.App.UpdateConfig(func(cfg *model.Config) {
+				*cfg.ServiceSettings.AllowedUntrustedInternalConnections = "localhost,127.0.0.1"
+			})
+
 			_, err = th.App.DoPostAction(th.Context, postplugin.Id, attachmentsPlugin[0].Actions[0].Id, th.BasicUser.Id, "")
 			require.Nil(t, err)