change slack action to only report on whitelisted host name (#57582) (#57740)

Previously, when using the slack action with a url which was not whitelisted, the entire URL was reported in the error. With this change, only the hostname is reported in the error.
2025-04-24 01:38:56 -04:00 · 2020-02-14 20:43:12 -05:00 · 2020-02-14 20:43:12 -05:00 · 02a6eaa7ad
commit 02a6eaa7ad
parent 4d71322a15
3 changed files with 44 additions and 6 deletions
--- a/x-pack/plugins/actions/server/builtin_action_types/slack.test.ts
+++ b/x-pack/plugins/actions/server/builtin_action_types/slack.test.ts
@ -74,6 +74,12 @@ describe('validateActionTypeSecrets()', () => {
    }).toThrowErrorMatchingInlineSnapshot(
      `"error validating action type secrets: [webhookUrl]: expected value of type [string] but got [number]"`
    );
+
+    expect(() => {
+      validateSecrets(actionType, { webhookUrl: 'fee-fi-fo-fum' });
+    }).toThrowErrorMatchingInlineSnapshot(
+      `"error validating action type secrets: error configuring slack action: unable to parse host name from webhookUrl"`
+    );
  });

  test('should validate and pass when the slack webhookUrl is whitelisted', () => {
@ -95,8 +101,8 @@ describe('validateActionTypeSecrets()', () => {
    actionType = getActionType({
      configurationUtilities: {
        ...configUtilsMock,
-        ensureWhitelistedUri: url => {
-          throw new Error(`target url is not whitelisted`);
+        ensureWhitelistedHostname: url => {
+          throw new Error(`target hostname is not whitelisted`);
        },
      },
    });
@ -104,7 +110,7 @@ describe('validateActionTypeSecrets()', () => {
    expect(() => {
      validateSecrets(actionType, { webhookUrl: 'https://api.slack.com/' });
    }).toThrowErrorMatchingInlineSnapshot(
-      `"error validating action type secrets: error configuring slack action: target url is not whitelisted"`
+      `"error validating action type secrets: error configuring slack action: target hostname is not whitelisted"`
    );
  });
 });
--- a/x-pack/plugins/actions/server/builtin_action_types/slack.ts
+++ b/x-pack/plugins/actions/server/builtin_action_types/slack.ts
@ -4,6 +4,7 @@
 * you may not use this file except in compliance with the Elastic License.
 */

+import { URL } from 'url';
 import { curry } from 'lodash';
 import { i18n } from '@kbn/i18n';
 import { schema, TypeOf } from '@kbn/config-schema';
@ -66,8 +67,17 @@ function valdiateActionTypeConfig(
  configurationUtilities: ActionsConfigurationUtilities,
  secretsObject: ActionTypeSecretsType
 ) {
+  let url: URL;
  try {
-    configurationUtilities.ensureWhitelistedUri(secretsObject.webhookUrl);
+    url = new URL(secretsObject.webhookUrl);
+  } catch (err) {
+    return i18n.translate('xpack.actions.builtin.slack.slackConfigurationErrorNoHostname', {
+      defaultMessage: 'error configuring slack action: unable to parse host name from webhookUrl',
+    });
+  }
+
+  try {
+    configurationUtilities.ensureWhitelistedHostname(url.hostname);
  } catch (whitelistError) {
    return i18n.translate('xpack.actions.builtin.slack.slackConfigurationError', {
      defaultMessage: 'error configuring slack action: {message}',
--- a/x-pack/test/alerting_api_integration/security_and_spaces/tests/actions/builtin_action_types/slack.ts
+++ b/x-pack/test/alerting_api_integration/security_and_spaces/tests/actions/builtin_action_types/slack.ts
@ -94,7 +94,7 @@ export default function slackTest({ getService }: FtrProviderContext) {
          name: 'A slack action',
          actionTypeId: '.slack',
          secrets: {
-            webhookUrl: 'http://slack.mynonexistent.com',
+            webhookUrl: 'http://slack.mynonexistent.com/other/stuff/in/the/path',
          },
        })
        .expect(400)
@ -103,7 +103,29 @@ export default function slackTest({ getService }: FtrProviderContext) {
            statusCode: 400,
            error: 'Bad Request',
            message:
-              'error validating action type secrets: error configuring slack action: target url "http://slack.mynonexistent.com" is not whitelisted in the Kibana config xpack.actions.whitelistedHosts',
+              'error validating action type secrets: error configuring slack action: target hostname "slack.mynonexistent.com" is not whitelisted in the Kibana config xpack.actions.whitelistedHosts',
+          });
+        });
+    });
+
+    it('should respond with a 400 Bad Request when creating a slack action with a webhookUrl with no hostname', async () => {
+      await supertest
+        .post('/api/action')
+        .set('kbn-xsrf', 'foo')
+        .send({
+          name: 'A slack action',
+          actionTypeId: '.slack',
+          secrets: {
+            webhookUrl: 'fee-fi-fo-fum',
+          },
+        })
+        .expect(400)
+        .then((resp: any) => {
+          expect(resp.body).to.eql({
+            statusCode: 400,
+            error: 'Bad Request',
+            message:
+              'error validating action type secrets: error configuring slack action: unable to parse host name from webhookUrl',
          });
        });
    });