PLT-6358: Server HTTP client improvements (#6980)

* restrict untrusted, internal http connections by default

* command test fix

* more test fixes

* change setting from toggle to whitelist

* requested ui changes

* add isdefault diagnostic

* fix tests

2 files changed, 28 insertions, 2 deletions

diff --git a/webapp/components/admin_console/developer_settings.jsx b/webapp/components/admin_console/developer_settings.jsx
index c7ffd18d5..6a8f49dbd 100644
--- a/webapp/components/admin_console/developer_settings.jsx
+++ b/webapp/components/admin_console/developer_settings.jsx
@@ -3,10 +3,13 @@
 
 import React from 'react';
 
+import * as Utils from 'utils/utils.jsx';
+
 import AdminSettings from './admin_settings.jsx';
 import BooleanSetting from './boolean_setting.jsx';
-import {FormattedMessage} from 'react-intl';
+import {FormattedMessage, FormattedHTMLMessage} from 'react-intl';
 import SettingsGroup from './settings_group.jsx';
+import TextSetting from './text_setting.jsx';
 
 export default class DeveloperSettings extends AdminSettings {
     constructor(props) {
@@ -20,6 +23,7 @@ export default class DeveloperSettings extends AdminSettings {
     getConfigFromState(config) {
         config.ServiceSettings.EnableTesting = this.state.enableTesting;
         config.ServiceSettings.EnableDeveloper = this.state.enableDeveloper;
+        config.ServiceSettings.AllowedUntrustedInternalConnections = this.state.allowedUntrustedInternalConnections;
 
         return config;
     }
@@ -27,7 +31,8 @@ export default class DeveloperSettings extends AdminSettings {
     getStateFromConfig(config) {
         return {
             enableTesting: config.ServiceSettings.EnableTesting,
-            enableDeveloper: config.ServiceSettings.EnableDeveloper
+            enableDeveloper: config.ServiceSettings.EnableDeveloper,
+            allowedUntrustedInternalConnections: config.ServiceSettings.AllowedUntrustedInternalConnections
         };
     }
 
@@ -77,6 +82,24 @@ export default class DeveloperSettings extends AdminSettings {
                     value={this.state.enableDeveloper}
                     onChange={this.handleChange}
                 />
+                <TextSetting
+                    id='allowedUntrustedInternalConnections'
+                    label={
+                        <FormattedMessage
+                            id='admin.service.internalConnectionsTitle'
+                            defaultMessage='Allow untrusted internal connections to: '
+                        />
+                    }
+                    placeholder={Utils.localizeMessage('admin.service.internalConnectionsEx', 'webhooks.internal.example.com 127.0.0.1 10.0.16.0/28')}
+                    helpText={
+                        <FormattedHTMLMessage
+                            id='admin.service.internalConnectionsDesc'
+                            defaultMessage='In testing environments, such as when developing integrations locally on a development machine, use this setting to specify domains, IP addresses, or CIDR notations to allow internal connections. <b>Not recommended for use in production</b>, since this can allow a user to extract confidential data from your server or internal network.<br /><br />By default, user-supplied URLs such as those used for Open Graph metadata, webhooks, or slash commands will not be allowed to connect to reserved IP addresses including loopback or link-local addresses used for internal networks. Push notification, OAuth 2.0 and WebRTC server URLs are trusted and not affected by this setting.'
+                        />
+                    }
+                    value={this.state.allowedUntrustedInternalConnections}
+                    onChange={this.handleChange}
+                />
             </SettingsGroup>
         );
     }
diff --git a/webapp/i18n/en.json b/webapp/i18n/en.json
index b74c049b4..1eced0e54 100755
--- a/webapp/i18n/en.json
+++ b/webapp/i18n/en.json
@@ -805,6 +805,9 @@
   "admin.service.iconTitle": "Enable integrations to override profile picture icons:",
   "admin.service.insecureTlsDesc": "When true, any outgoing HTTPS requests will accept unverified, self-signed certificates. For example, outgoing webhooks to a server with a self-signed TLS certificate, using any domain, will be allowed. Note that this makes these connections susceptible to man-in-the-middle attacks.",
   "admin.service.insecureTlsTitle": "Enable Insecure Outgoing Connections: ",
+  "admin.service.internalConnectionsDesc": "In testing environments, such as when developing integrations locally on a development machine, use this setting to specify domains, IP addresses, or CIDR notations to allow internal connections. <b>Not recommended for use in production</b>, since this can allow a user to extract confidential data from your server or internal network.<br /><br />By default, user-supplied URLs such as those used for Open Graph metadata, webhooks, or slash commands will not be allowed to connect to reserved IP addresses including loopback or link-local addresses used for internal networks. Push notification, OAuth 2.0 and WebRTC server URLs are trusted and not affected by this setting.",
+  "admin.service.internalConnectionsTitle": "Allow untrusted internal connections to: ",
+  "admin.service.internalConnectionsEx": "webhooks.internal.example.com 127.0.0.1 10.0.16.0/28",
   "admin.service.integrationAdmin": "Restrict managing integrations to Admins:",
   "admin.service.integrationAdminDesc": "When true, webhooks and slash commands can only be created, edited and viewed by Team and System Admins, and OAuth 2.0 applications by System Admins. Integrations are available to all users after they have been created by the Admin.",
   "admin.service.letsEncryptCertificateCacheFile": "Let's Encrypt Certificate Cache File:",