Server-Side Request Forgery risk

[zhongnansu]

The “Test Connection” functionality of the data sources page reaches out to the saved data source endpoint to make sure connection is healthy. It is possible to modify the endpoint for this resource and force the application server to attempt to access a different location.

[zhongnansu]

set to v2.19.0 for now, but may not have enough bandwidth to fix it

[zhongnansu]

Writing down the solution here for reference

1. Need to utilize managedBy config to deny "endpoint" param in test connection API, or throw error in the API handler
2. to achieve 1, we need to expose managedBy as an plugin capability (dsm plugin) to let other plugin (data source plugin) to consume