use CustomURLValidator in custom_button

CHANGELOG.md

@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Modified `check_escalation_finished_task` celery task to use read-only databases for its query, if one is defined +
   make the validation logic stricter + ping a configurable heartbeat on successful completion of this task ([1266](https://github.com/grafana/oncall/pull/1266))
 
+- Add `URLValidatorWithoutTLD` for domains without TLDs like container hostnames. This will let them to be added as outgoing webhooks if `DANGEROUS_WEBHOOKS_ENABLED` is set to true ([1398](https://github.com/grafana/oncall/pull/1398)).  
 ### Changed
 
 - Updated wording throughout plugin to use 'Alert Group' instead of 'Incident' ([1565](https://github.com/grafana/oncall/pull/1565),

engine/apps/api/serializers/custom_button.py

@@ -1,6 +1,6 @@
 from collections import defaultdict
 
-from django.core.validators import URLValidator, ValidationError
+from django.core.validators import ValidationError, URLValidator
 from rest_framework import serializers
 from rest_framework.validators import UniqueTogetherValidator
 
@@ -9,6 +9,8 @@
 from common.api_helpers.utils import CurrentOrganizationDefault, CurrentTeamDefault
 from common.jinja_templater import apply_jinja_template
 from common.jinja_templater.apply_jinja_template import JinjaTemplateError, JinjaTemplateWarning
+from common.api_helpers.utils import URLValidatorWithoutTLD
+from apps.base.utils import live_settings
 
 
 class CustomButtonSerializer(serializers.ModelSerializer):
@@ -41,7 +43,10 @@ class Meta:
     def validate_webhook(self, webhook):
         if webhook:
             try:
-                URLValidator()(webhook)
+                if live_settings.DANGEROUS_WEBHOOKS_ENABLED:
+                    URLValidatorWithoutTLD()(webhook)
+                else:
+                    URLValidator()(webhook)
             except ValidationError:
                 raise serializers.ValidationError("Webhook is incorrect")
             return webhook

engine/apps/api/tests/test_custom_button.py

@@ -11,6 +11,8 @@
 from apps.api.permissions import LegacyAccessControlRole
 
 TEST_URL = "https://amixr.io"
+URL_WITH_TLD = "http://www.google.com"
+URL_WITHOUT_TLD = "http://container:8080"
 
 
 @pytest.fixture()
@@ -477,3 +479,36 @@ def test_custom_button_from_other_team_without_flag(
 
     response = client.get(url, format="json", **make_user_auth_headers(user, token))
     assert response.status_code == status.HTTP_403_FORBIDDEN
+
+
+@pytest.mark.django_db
+@pytest.mark.parametrize(
+    "dangerous_webhooks,webhook_url,expected_status",
+    [
+        (True, URL_WITH_TLD, status.HTTP_201_CREATED),
+        (True, URL_WITHOUT_TLD, status.HTTP_201_CREATED),
+        (False, URL_WITH_TLD, status.HTTP_201_CREATED),
+        (False, URL_WITHOUT_TLD, status.HTTP_400_BAD_REQUEST),
+    ],
+)
+def test_url_without_tld_custom_button(
+    custom_button_internal_api_setup,
+    make_user_auth_headers,
+    settings,
+    dangerous_webhooks,
+    webhook_url,
+    expected_status,
+):
+    settings.DANGEROUS_WEBHOOKS_ENABLED = dangerous_webhooks
+
+    user, token, _ = custom_button_internal_api_setup
+    client = APIClient()
+    url = reverse("api-internal:custom_button-list")
+
+    data = {
+        "name": "amixr_button",
+        "webhook": webhook_url,
+        "team": None,
+    }
+    response = client.post(url, data, format="json", **make_user_auth_headers(user, token))
+    assert response.status_code == expected_status

engine/common/api_helpers/utils.py

@@ -2,6 +2,9 @@
 from urllib.parse import urljoin
 
 import requests
+import re
+from django.core.validators import URLValidator
+from django.utils.regex_helper import _lazy_re_compile
 from django.conf import settings
 from django.utils import dateparse, timezone
 from icalendar import Calendar
@@ -45,6 +48,34 @@ def __repr__(self):
         return "%s()" % self.__class__.__name__
 
 
+class URLValidatorWithoutTLD(URLValidator):
+    """
+    Overrides Django URLValidator Regex. It removes the tld part because
+    most of the time, containers don't have any TLD in their urls and such outgoing webhooks
+    can't be registered.
+    """
+
+    host_re = (
+        "("
+        + URLValidator.hostname_re
+        + URLValidator.domain_re
+        + URLValidator.tld_re
+        + "|"
+        + URLValidator.hostname_re
+        + "|localhost)"
+    )
+
+    regex = _lazy_re_compile(
+        r"^(?:[a-z0-9.+-]*)://"  # scheme is validated separately
+        r"(?:[^\s:@/]+(?::[^\s:@/]*)?@)?"  # user:pass authentication
+        r"(?:" + URLValidator.ipv4_re + "|" + URLValidator.ipv6_re + "|" + host_re + ")"
+        r"(?::[0-9]{1,5})?"  # port
+        r"(?:[/?#][^\s]*)?"  # resource path
+        r"\Z",
+        re.IGNORECASE,
+    )
+
+
 class CurrentUserDefault:
     """
     Utility class to get the current user right from the serializer field.

engine/common/tests/test_urlvalidator_without_tld.py

@@ -0,0 +1,19 @@
+from common.api_helpers.utils import URLValidatorWithoutTLD
+import pytest
+from django.core.validators import ValidationError
+
+valid_urls = ["https://www.google.com", "https://www.google", "http://conatainer1"]
+invalid_urls = ["https:/www.google.com", "htt://www.google.com/"]
+
+
+@pytest.mark.parametrize("url", valid_urls)
+def test_urlvalidator_without_tld_valid_urls(url):
+    # Test valid URLs
+    URLValidatorWithoutTLD()(url)
+
+
+@pytest.mark.parametrize("url", invalid_urls)
+def test_urlvalidator_without_tld_invalid_urls(url):
+    # Test an invalid URL
+    with pytest.raises(ValidationError):
+        URLValidatorWithoutTLD()(url)