From 9f465127592f2f3c893988daceaf608671da9df1 Mon Sep 17 00:00:00 2001
From: Christopher Speller <crspeller@gmail.com>
Date: Sun, 2 Sep 2018 00:30:10 -0700
Subject: MM-11693 Allow connections to /plugins for interactive message
 buttons. (#9333)

* Allow connetions to /plugins for interactive message buttons.

* Adding siteurl to exclusions for AllowedUntrustedInternalConnections

* Adding subpath support for allowing interactive message buttons plugin connections.
---
 app/post_test.go | 130 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 129 insertions(+), 1 deletion(-)

(limited to 'app/post_test.go')

diff --git a/app/post_test.go b/app/post_test.go
index 66a141172..ae13a7627 100644
--- a/app/post_test.go
+++ b/app/post_test.go
@@ -142,7 +142,7 @@ func TestPostAction(t *testing.T) {
 		}
 		assert.Equal(t, "foo", request.Context["s"])
 		assert.EqualValues(t, 3, request.Context["n"])
-		fmt.Fprintf(w, `{"update": {"message": "updated"}, "ephemeral_text": "foo"}`)
+		fmt.Fprintf(w, `{"post": {"message": "updated"}, "ephemeral_text": "foo"}`)
 	}))
 	defer ts.Close()
 
@@ -229,6 +229,134 @@ func TestPostAction(t *testing.T) {
 
 	err = th.App.DoPostAction(post2.Id, attachments2[0].Actions[0].Id, th.BasicUser.Id, "selected")
 	require.Nil(t, err)
+
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		*cfg.ServiceSettings.AllowedUntrustedInternalConnections = ""
+	})
+
+	err = th.App.DoPostAction(post.Id, attachments[0].Actions[0].Id, th.BasicUser.Id, "")
+	require.NotNil(t, err)
+	require.True(t, strings.Contains(err.Error(), "address forbidden"))
+
+	interactivePostPlugin := model.Post{
+		Message:       "Interactive post",
+		ChannelId:     th.BasicChannel.Id,
+		PendingPostId: model.NewId() + ":" + fmt.Sprint(model.GetMillis()),
+		UserId:        th.BasicUser.Id,
+		Props: model.StringInterface{
+			"attachments": []*model.SlackAttachment{
+				{
+					Text: "hello",
+					Actions: []*model.PostAction{
+						{
+							Integration: &model.PostActionIntegration{
+								Context: model.StringInterface{
+									"s": "foo",
+									"n": 3,
+								},
+								URL: ts.URL + "/plugins/myplugin/myaction",
+							},
+							Name:       "action",
+							Type:       "some_type",
+							DataSource: "some_source",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	postplugin, err := th.App.CreatePostAsUser(&interactivePostPlugin)
+	require.Nil(t, err)
+
+	attachmentsPlugin, ok := postplugin.Props["attachments"].([]*model.SlackAttachment)
+	require.True(t, ok)
+
+	err = th.App.DoPostAction(postplugin.Id, attachmentsPlugin[0].Actions[0].Id, th.BasicUser.Id, "")
+	require.Nil(t, err)
+
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		*cfg.ServiceSettings.SiteURL = "http://127.1.1.1"
+	})
+
+	interactivePostSiteURL := model.Post{
+		Message:       "Interactive post",
+		ChannelId:     th.BasicChannel.Id,
+		PendingPostId: model.NewId() + ":" + fmt.Sprint(model.GetMillis()),
+		UserId:        th.BasicUser.Id,
+		Props: model.StringInterface{
+			"attachments": []*model.SlackAttachment{
+				{
+					Text: "hello",
+					Actions: []*model.PostAction{
+						{
+							Integration: &model.PostActionIntegration{
+								Context: model.StringInterface{
+									"s": "foo",
+									"n": 3,
+								},
+								URL: "http://127.1.1.1/plugins/myplugin/myaction",
+							},
+							Name:       "action",
+							Type:       "some_type",
+							DataSource: "some_source",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	postSiteURL, err := th.App.CreatePostAsUser(&interactivePostSiteURL)
+	require.Nil(t, err)
+
+	attachmentsSiteURL, ok := postSiteURL.Props["attachments"].([]*model.SlackAttachment)
+	require.True(t, ok)
+
+	err = th.App.DoPostAction(postSiteURL.Id, attachmentsSiteURL[0].Actions[0].Id, th.BasicUser.Id, "")
+	require.NotNil(t, err)
+	require.False(t, strings.Contains(err.Error(), "address forbidden"))
+
+	th.App.UpdateConfig(func(cfg *model.Config) {
+		*cfg.ServiceSettings.SiteURL = ts.URL + "/subpath"
+	})
+
+	interactivePostSubpath := model.Post{
+		Message:       "Interactive post",
+		ChannelId:     th.BasicChannel.Id,
+		PendingPostId: model.NewId() + ":" + fmt.Sprint(model.GetMillis()),
+		UserId:        th.BasicUser.Id,
+		Props: model.StringInterface{
+			"attachments": []*model.SlackAttachment{
+				{
+					Text: "hello",
+					Actions: []*model.PostAction{
+						{
+							Integration: &model.PostActionIntegration{
+								Context: model.StringInterface{
+									"s": "foo",
+									"n": 3,
+								},
+								URL: ts.URL + "/subpath/plugins/myplugin/myaction",
+							},
+							Name:       "action",
+							Type:       "some_type",
+							DataSource: "some_source",
+						},
+					},
+				},
+			},
+		},
+	}
+
+	postSubpath, err := th.App.CreatePostAsUser(&interactivePostSubpath)
+	require.Nil(t, err)
+
+	attachmentsSubpath, ok := postSubpath.Props["attachments"].([]*model.SlackAttachment)
+	require.True(t, ok)
+
+	err = th.App.DoPostAction(postSubpath.Id, attachmentsSubpath[0].Actions[0].Id, th.BasicUser.Id, "")
+	require.Nil(t, err)
 }
 
 func TestPostChannelMentions(t *testing.T) {
-- 
cgit v1.2.3-1-g7c22