feat(plugins): add WRAP_RESPONSE_ERROR in config to avoid SSRF when testing connections

backend/core/plugin/plugin_api.go

@@ -18,6 +18,7 @@ limitations under the License.
 package plugin
 
 import (
+	"github.com/apache/incubator-devlake/core/context"
 	"github.com/apache/incubator-devlake/core/errors"
 	"github.com/apache/incubator-devlake/core/models/common"
 	"net/http"
@@ -71,3 +72,17 @@ type ApiResourceHandler func(input *ApiResourceInput) (*ApiResourceOutput, error
 type PluginApi interface {
 	ApiResources() map[string]map[string]ApiResourceHandler
 }
+
+const wrapResponseError = "WRAP_RESPONSE_ERROR"
+
+func WrapTestConnectionErrResp(basicRes context.BasicRes, err errors.Error) errors.Error {
+	if err == nil {
+		return err
+	}
+	if !basicRes.GetConfigReader().GetBool(wrapResponseError) {
+		return err
+	}
+	statusCode := err.GetType().GetHttpCode()
+	message := "Something went wrong when testing your connection, please check your connection details."
+	return errors.HttpStatus(statusCode).New(message)
+}

backend/plugins/ae/api/connection.go

@@ -73,7 +73,11 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	if err = api.Decode(input.Body, &connection, vld); err != nil {
 		return nil, errors.BadInput.Wrap(err, "could not decode request parameters")
 	}
-	return testConnection(context.TODO(), connection)
+	result, err := testConnection(context.TODO(), connection)
+	if err != nil {
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
+	}
+	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }
 
 // TestExistingConnection test ae connection
@@ -94,7 +98,11 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 	if err := api.DecodeMapStruct(input.Body, connection, false); err != nil {
 		return nil, err
 	}
-	return testConnection(context.TODO(), connection.AeConn)
+	result, err := testConnection(context.TODO(), connection.AeConn)
+	if err != nil {
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
+	}
+	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }
 
 // @Summary create ae connection

backend/plugins/bamboo/api/connection_api.go

@@ -72,7 +72,7 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	// test connection
 	result, err := testConnection(context.TODO(), connection)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }
@@ -96,7 +96,7 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 	// test connection
 	result, err := testConnection(context.TODO(), connection.BambooConn)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }

backend/plugins/bitbucket/api/connection_api.go

@@ -86,7 +86,7 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	// test connection
 	result, err := testConnection(context.TODO(), connection)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }
@@ -110,7 +110,7 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 	// test connection
 	result, err := testConnection(context.TODO(), connection.BitbucketConn)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }

backend/plugins/circleci/api/connection.go

@@ -81,7 +81,7 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	// test connection
 	result, err := testConnection(context.TODO(), connection)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }
@@ -106,7 +106,7 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 	// test connection
 	result, err := testConnection(context.TODO(), connection.CircleciConn)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }

backend/plugins/feishu/api/connection.go

@@ -72,7 +72,7 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	// test connection
 	result, err := testConnection(context.TODO(), connection)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }
@@ -97,7 +97,7 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 	// test connection
 	result, err := testConnection(context.TODO(), connection.FeishuConn)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }

backend/plugins/gitee/api/connection.go

@@ -89,7 +89,7 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	// test connection
 	result, err := testConnection(context.TODO(), connection)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }
@@ -114,7 +114,7 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 	// test connection
 	result, err := testConnection(context.TODO(), connection.GiteeConn)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }

backend/plugins/github/api/connection_api.go

@@ -78,7 +78,7 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	}
 	testConnectionResult, err := testConnection(context.TODO(), conn)
 	if err != nil {
-		return nil, errors.Convert(err)
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: testConnectionResult, Status: http.StatusOK}, nil
 }
@@ -394,7 +394,7 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 	}
 	testConnectionResult, testConnectionErr := testExistingConnection(context.TODO(), connection.GithubConn)
 	if testConnectionErr != nil {
-		return nil, testConnectionErr
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, testConnectionErr)
 	}
 	return &plugin.ApiResourceOutput{Body: testConnectionResult, Status: http.StatusOK}, nil
 }

backend/plugins/gitlab/api/connection_api.go

@@ -91,7 +91,7 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	}
 	result, err := testConnection(context.TODO(), connection)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }
@@ -110,7 +110,7 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 		return nil, errors.Convert(err)
 	}
 	if result, err := testConnection(context.TODO(), connection.GitlabConn); err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	} else {
 		return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 	}

backend/plugins/jenkins/api/connection_api.go

@@ -92,7 +92,7 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	// test connection
 	result, err := testConnection(context.TODO(), connection)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }
@@ -112,7 +112,7 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 	}
 	// test connection
 	if result, err := testConnection(context.TODO(), connection.JenkinsConn); err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	} else {
 		return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 	}

backend/plugins/jira/api/connection_api.go

@@ -137,7 +137,7 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	// test connection
 	result, err := testConnection(context.TODO(), connection)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }
@@ -157,7 +157,7 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 	}
 	// test connection
 	if result, err := testConnection(context.TODO(), connection.JiraConn); err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	} else {
 		return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 	}

backend/plugins/opsgenie/api/connection.go

@@ -75,7 +75,11 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 	if err := api.DecodeMapStruct(input.Body, connection, false); err != nil {
 		return nil, err
 	}
-	return testOpsgenieConn(context.Background(), connection.OpsgenieConn)
+	testConnectionResult, testConnectionErr := testOpsgenieConn(context.Background(), connection.OpsgenieConn)
+	if testConnectionErr != nil {
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, testConnectionErr)
+	}
+	return &plugin.ApiResourceOutput{Body: testConnectionResult, Status: http.StatusOK}, nil
 }
 
 // TestConnection test opsgenie connection
@@ -93,7 +97,11 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	if err != nil {
 		return nil, err
 	}
-	return testOpsgenieConn(context.Background(), connection)
+	testConnectionResult, testConnectionErr := testOpsgenieConn(context.TODO(), connection)
+	if testConnectionErr != nil {
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, testConnectionErr)
+	}
+	return &plugin.ApiResourceOutput{Body: testConnectionResult, Status: http.StatusOK}, nil
 }
 
 // @Summary create opsgenie connection

backend/plugins/pagerduty/api/connection.go

@@ -65,7 +65,11 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	if err != nil {
 		return nil, err
 	}
-	return testConnection(context.TODO(), connection)
+	testConnectionResult, testConnectionErr := testConnection(context.TODO(), connection)
+	if testConnectionErr != nil {
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, testConnectionErr)
+	}
+	return &plugin.ApiResourceOutput{Body: testConnectionResult, Status: http.StatusOK}, nil
 }
 
 // TestExistingConnection test pagerduty connection
@@ -85,7 +89,11 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 	if err := api.DecodeMapStruct(input.Body, connection, false); err != nil {
 		return nil, err
 	}
-	return testConnection(context.TODO(), connection.PagerDutyConn)
+	testConnectionResult, testConnectionErr := testConnection(context.TODO(), connection.PagerDutyConn)
+	if testConnectionErr != nil {
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, testConnectionErr)
+	}
+	return &plugin.ApiResourceOutput{Body: testConnectionResult, Status: http.StatusOK}, nil
 }
 
 // @Summary create pagerduty connection

backend/plugins/slack/api/connection.go

@@ -72,7 +72,7 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	// test connection
 	result, err := testConnection(context.TODO(), connection)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }
@@ -97,7 +97,7 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 	// test connection
 	result, err := testConnection(context.TODO(), connection.SlackConn)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }

backend/plugins/sonarqube/api/connection_api.go

@@ -91,7 +91,11 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	if err = api.Decode(input.Body, &connection, vld); err != nil {
 		return nil, err
 	}
-	return testConnection(context.TODO(), connection)
+	testConnectionResult, testConnectionErr := testConnection(context.TODO(), connection)
+	if testConnectionErr != nil {
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, testConnectionErr)
+	}
+	return &plugin.ApiResourceOutput{Body: testConnectionResult, Status: http.StatusOK}, nil
 }
 
 // TestExistingConnection test sonarqube connection options
@@ -108,7 +112,11 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 		return nil, errors.Convert(err)
 	}
 	// test connection
-	return testConnection(context.TODO(), connection.SonarqubeConn)
+	testConnectionResult, testConnectionErr := testConnection(context.TODO(), connection.SonarqubeConn)
+	if testConnectionErr != nil {
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, testConnectionErr)
+	}
+	return &plugin.ApiResourceOutput{Body: testConnectionResult, Status: http.StatusOK}, nil
 }
 
 // PostConnections create sonarqube connection

backend/plugins/tapd/api/connection.go

@@ -85,7 +85,7 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	// test connection
 	result, err := testConnection(context.TODO(), connection)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }
@@ -110,7 +110,7 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 	// test connection
 	result, err := testConnection(context.TODO(), connection.TapdConn)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }

backend/plugins/teambition/api/connection.go

@@ -99,7 +99,7 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	// test connection
 	result, err := testConnection(context.TODO(), connection)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }
@@ -123,7 +123,7 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 	}
 	testConnectionResult, testConnectionErr := testConnection(context.TODO(), connection.TeambitionConn)
 	if testConnectionErr != nil {
-		return nil, testConnectionErr
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, testConnectionErr)
 	}
 	return &plugin.ApiResourceOutput{Body: testConnectionResult, Status: http.StatusOK}, nil
 }

backend/plugins/trello/api/connection.go

@@ -85,7 +85,7 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	// test connection
 	result, err := testConnection(context.TODO(), connection)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }
@@ -109,7 +109,7 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 	}
 	testConnectionResult, testConnectionErr := testConnection(context.TODO(), connection.TrelloConn)
 	if testConnectionErr != nil {
-		return nil, testConnectionErr
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, testConnectionErr)
 	}
 	return &plugin.ApiResourceOutput{Body: testConnectionResult, Status: http.StatusOK}, nil
 }

backend/plugins/zentao/api/connection.go

@@ -92,7 +92,7 @@ func TestConnection(input *plugin.ApiResourceInput) (*plugin.ApiResourceOutput,
 	// test connection
 	result, err := testConnection(context.TODO(), connection)
 	if err != nil {
-		return nil, err
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, err)
 	}
 	return &plugin.ApiResourceOutput{Body: result, Status: http.StatusOK}, nil
 }
@@ -116,7 +116,7 @@ func TestExistingConnection(input *plugin.ApiResourceInput) (*plugin.ApiResource
 	}
 	testConnectionResult, testConnectionErr := testConnection(context.TODO(), connection.ZentaoConn)
 	if testConnectionErr != nil {
-		return nil, testConnectionErr
+		return nil, plugin.WrapTestConnectionErrResp(basicRes, testConnectionErr)
 	}
 	return &plugin.ApiResourceOutput{Body: testConnectionResult, Status: http.StatusOK}, nil
 }

env.example

@@ -62,3 +62,8 @@ ENCRYPTION_SECRET=
 # Set if skip verify and connect with out trusted certificate when use https
 ##########################
 IN_SECURE_SKIP_VERIFY=
+
+##########################
+# Set if response error when requesting /connections/{connection_id}/test should be wrapped or not
+##########################
+WRAP_RESPONSE_ERROR=