From 9f465127592f2f3c893988daceaf608671da9df1 Mon Sep 17 00:00:00 2001 From: Christopher Speller Date: Sun, 2 Sep 2018 00:30:10 -0700 Subject: MM-11693 Allow connections to /plugins for interactive message buttons. (#9333) * Allow connetions to /plugins for interactive message buttons. * Adding siteurl to exclusions for AllowedUntrustedInternalConnections * Adding subpath support for allowing interactive message buttons plugin connections. --- app/post.go | 15 ++++++- app/post_test.go | 130 ++++++++++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 143 insertions(+), 2 deletions(-) (limited to 'app') diff --git a/app/post.go b/app/post.go index 312269772..30602b392 100644 --- a/app/post.go +++ b/app/post.go @@ -12,6 +12,7 @@ import ( "io" "net/http" "net/url" + "path" "regexp" "strings" @@ -882,7 +883,19 @@ func (a *App) DoPostAction(postId, actionId, userId, selectedOption string) *mod req, _ := http.NewRequest("POST", action.Integration.URL, strings.NewReader(request.ToJson())) req.Header.Set("Content-Type", "application/json") req.Header.Set("Accept", "application/json") - resp, err := a.HTTPClient(false).Do(req) + + // Allow access to plugin routes for action buttons + var httpClient *http.Client + url, _ := url.Parse(action.Integration.URL) + siteURL, _ := url.Parse(*a.Config().ServiceSettings.SiteURL) + subpath, _ := utils.GetSubpathFromConfig(a.Config()) + if (url.Hostname() == "localhost" || url.Hostname() == "127.0.0.1" || url.Hostname() == siteURL.Hostname()) && strings.HasPrefix(url.Path, path.Join(subpath, "plugins")) { + httpClient = a.HTTPClient(true) + } else { + httpClient = a.HTTPClient(false) + } + + resp, err := httpClient.Do(req) if err != nil { return model.NewAppError("DoPostAction", "api.post.do_action.action_integration.app_error", nil, "err="+err.Error(), http.StatusBadRequest) } diff --git a/app/post_test.go b/app/post_test.go index 66a141172..ae13a7627 100644 --- a/app/post_test.go +++ b/app/post_test.go @@ -142,7 +142,7 @@ func TestPostAction(t *testing.T) { } assert.Equal(t, "foo", request.Context["s"]) assert.EqualValues(t, 3, request.Context["n"]) - fmt.Fprintf(w, `{"update": {"message": "updated"}, "ephemeral_text": "foo"}`) + fmt.Fprintf(w, `{"post": {"message": "updated"}, "ephemeral_text": "foo"}`) })) defer ts.Close() @@ -229,6 +229,134 @@ func TestPostAction(t *testing.T) { err = th.App.DoPostAction(post2.Id, attachments2[0].Actions[0].Id, th.BasicUser.Id, "selected") require.Nil(t, err) + + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.ServiceSettings.AllowedUntrustedInternalConnections = "" + }) + + err = th.App.DoPostAction(post.Id, attachments[0].Actions[0].Id, th.BasicUser.Id, "") + require.NotNil(t, err) + require.True(t, strings.Contains(err.Error(), "address forbidden")) + + interactivePostPlugin := model.Post{ + Message: "Interactive post", + ChannelId: th.BasicChannel.Id, + PendingPostId: model.NewId() + ":" + fmt.Sprint(model.GetMillis()), + UserId: th.BasicUser.Id, + Props: model.StringInterface{ + "attachments": []*model.SlackAttachment{ + { + Text: "hello", + Actions: []*model.PostAction{ + { + Integration: &model.PostActionIntegration{ + Context: model.StringInterface{ + "s": "foo", + "n": 3, + }, + URL: ts.URL + "/plugins/myplugin/myaction", + }, + Name: "action", + Type: "some_type", + DataSource: "some_source", + }, + }, + }, + }, + }, + } + + postplugin, err := th.App.CreatePostAsUser(&interactivePostPlugin) + require.Nil(t, err) + + attachmentsPlugin, ok := postplugin.Props["attachments"].([]*model.SlackAttachment) + require.True(t, ok) + + err = th.App.DoPostAction(postplugin.Id, attachmentsPlugin[0].Actions[0].Id, th.BasicUser.Id, "") + require.Nil(t, err) + + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.ServiceSettings.SiteURL = "http://127.1.1.1" + }) + + interactivePostSiteURL := model.Post{ + Message: "Interactive post", + ChannelId: th.BasicChannel.Id, + PendingPostId: model.NewId() + ":" + fmt.Sprint(model.GetMillis()), + UserId: th.BasicUser.Id, + Props: model.StringInterface{ + "attachments": []*model.SlackAttachment{ + { + Text: "hello", + Actions: []*model.PostAction{ + { + Integration: &model.PostActionIntegration{ + Context: model.StringInterface{ + "s": "foo", + "n": 3, + }, + URL: "http://127.1.1.1/plugins/myplugin/myaction", + }, + Name: "action", + Type: "some_type", + DataSource: "some_source", + }, + }, + }, + }, + }, + } + + postSiteURL, err := th.App.CreatePostAsUser(&interactivePostSiteURL) + require.Nil(t, err) + + attachmentsSiteURL, ok := postSiteURL.Props["attachments"].([]*model.SlackAttachment) + require.True(t, ok) + + err = th.App.DoPostAction(postSiteURL.Id, attachmentsSiteURL[0].Actions[0].Id, th.BasicUser.Id, "") + require.NotNil(t, err) + require.False(t, strings.Contains(err.Error(), "address forbidden")) + + th.App.UpdateConfig(func(cfg *model.Config) { + *cfg.ServiceSettings.SiteURL = ts.URL + "/subpath" + }) + + interactivePostSubpath := model.Post{ + Message: "Interactive post", + ChannelId: th.BasicChannel.Id, + PendingPostId: model.NewId() + ":" + fmt.Sprint(model.GetMillis()), + UserId: th.BasicUser.Id, + Props: model.StringInterface{ + "attachments": []*model.SlackAttachment{ + { + Text: "hello", + Actions: []*model.PostAction{ + { + Integration: &model.PostActionIntegration{ + Context: model.StringInterface{ + "s": "foo", + "n": 3, + }, + URL: ts.URL + "/subpath/plugins/myplugin/myaction", + }, + Name: "action", + Type: "some_type", + DataSource: "some_source", + }, + }, + }, + }, + }, + } + + postSubpath, err := th.App.CreatePostAsUser(&interactivePostSubpath) + require.Nil(t, err) + + attachmentsSubpath, ok := postSubpath.Props["attachments"].([]*model.SlackAttachment) + require.True(t, ok) + + err = th.App.DoPostAction(postSubpath.Id, attachmentsSubpath[0].Actions[0].Id, th.BasicUser.Id, "") + require.Nil(t, err) } func TestPostChannelMentions(t *testing.T) { -- cgit v1.2.3-1-g7c22