Email and slack action types don't validate host against whitelistedHosts

[mikecote]

It seems the email and slack action type don't respect the xpack.actions.whitelistedHosts config. I've opened this issue to see if it should respect it? Otherwise we can close this.

[elasticmachine]

Pinging @elastic/kibana-stack-services (Team:Stack Services)

[mikecote]

@pmuellr I think you know the answer to this, feel free to close if not relevant.

[gmmorris]

I think the reason is that we added the whitelist due to the fact that anyone can configure the webhook action to point anywhere which opens us up to SSRF attacks.

In the case of Slack and email we were less worried about this (though, now that I say that... email perhaps should still be respecting it as it could be abused too) potential attack.

There was also a thought which was that for Slack & Email to work out of the box we would need to prebake the configuration with those servers in there, which could lead to confusion.

[pmuellr]

We decided at some point that it's safe to have Slack and PagerDuty not go through the whitelisting, since

1. the user can't change the endpoints for these
2. it's a PITA if you would need to add them, to use them
3. anyone who really cared about locking these down would probably have some network blocking on them anyway

There is already an issue open for whitelisting email tho - which I will move from backlog into "todo for 7.6" - #50721

So, basically this is a DUP, AFAICT, so closing. And we could always revisit changing the need to whitelist some of these "fixed endpoint" actions - perhaps preventing them from being used at all would be a better story, for example.

Just as an aside, there is another email related issue for cloud that will help drive some of the "how can we make this work out of the box" bits - #50646