From efbee8ad5637620c14a2f8d011e1e4fd79e45b5d Mon Sep 17 00:00:00 2001 From: Agniva De Sarker Date: Thu, 4 May 2023 15:08:55 +0530 Subject: [PATCH] MM-37691: Harden interactive dialog action (#22783) We strengthen some checks, forcing them to be changed only via config. https://mattermost.atlassian.net/browse/MM-37691 ```release-note NONE ``` Co-authored-by: Mattermost Build --- server/channels/app/integration_action.go | 2 +- server/channels/app/integration_action_test.go | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/server/channels/app/integration_action.go b/server/channels/app/integration_action.go index 7af3c21886..c82feb04d3 100644 --- a/server/channels/app/integration_action.go +++ b/server/channels/app/integration_action.go @@ -332,7 +332,7 @@ func (a *App) DoActionRequest(c *request.Context, rawURL string, body []byte) (* var httpClient *http.Client subpath, _ := utils.GetSubpathFromConfig(a.Config()) siteURL, _ := url.Parse(*a.Config().ServiceSettings.SiteURL) - if (inURL.Hostname() == "localhost" || inURL.Hostname() == "127.0.0.1" || inURL.Hostname() == siteURL.Hostname()) && strings.HasPrefix(inURL.Path, path.Join(subpath, "plugins")) { + if inURL.Hostname() == siteURL.Hostname() && strings.HasPrefix(inURL.Path, path.Join(subpath, "plugins")) { req.Header.Set(model.HeaderAuth, "Bearer "+c.Session().Token) httpClient = a.HTTPService().MakeClient(true) } else { diff --git a/server/channels/app/integration_action_test.go b/server/channels/app/integration_action_test.go index 0f69e05ea1..1f459296a3 100644 --- a/server/channels/app/integration_action_test.go +++ b/server/channels/app/integration_action_test.go @@ -313,6 +313,13 @@ func TestPostAction(t *testing.T) { attachmentsPlugin, ok := postplugin.GetProp("attachments").([]*model.SlackAttachment) require.True(t, ok) + _, err = th.App.DoPostAction(th.Context, postplugin.Id, attachmentsPlugin[0].Actions[0].Id, th.BasicUser.Id, "") + require.Equal(t, "api.post.do_action.action_integration.app_error", err.Id) + + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.ServiceSettings.AllowedUntrustedInternalConnections = "localhost,127.0.0.1" + }) + _, err = th.App.DoPostAction(th.Context, postplugin.Id, attachmentsPlugin[0].Actions[0].Id, th.BasicUser.Id, "") require.Nil(t, err)