MM-11693 Allow connections to /plugins for interactive message buttons. (#9333)

* Allow connetions to /plugins for interactive message buttons.

* Adding siteurl to exclusions for AllowedUntrustedInternalConnections

* Adding subpath support for allowing interactive message buttons plugin connections.

1 files changed, 14 insertions, 1 deletions

diff --git a/app/post.go b/app/post.go
index 312269772..30602b392 100644
--- a/app/post.go
+++ b/app/post.go
@@ -12,6 +12,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"path"
 	"regexp"
 	"strings"
 
@@ -882,7 +883,19 @@ func (a *App) DoPostAction(postId, actionId, userId, selectedOption string) *mod
 	req, _ := http.NewRequest("POST", action.Integration.URL, strings.NewReader(request.ToJson()))
 	req.Header.Set("Content-Type", "application/json")
 	req.Header.Set("Accept", "application/json")
-	resp, err := a.HTTPClient(false).Do(req)
+
+	// Allow access to plugin routes for action buttons
+	var httpClient *http.Client
+	url, _ := url.Parse(action.Integration.URL)
+	siteURL, _ := url.Parse(*a.Config().ServiceSettings.SiteURL)
+	subpath, _ := utils.GetSubpathFromConfig(a.Config())
+	if (url.Hostname() == "localhost" || url.Hostname() == "127.0.0.1" || url.Hostname() == siteURL.Hostname()) && strings.HasPrefix(url.Path, path.Join(subpath, "plugins")) {
+		httpClient = a.HTTPClient(true)
+	} else {
+		httpClient = a.HTTPClient(false)
+	}
+
+	resp, err := httpClient.Do(req)
 	if err != nil {
 		return model.NewAppError("DoPostAction", "api.post.do_action.action_integration.app_error", nil, "err="+err.Error(), http.StatusBadRequest)
 	}