The microservices that run inside the Appsmith container, trust each
other, and may expose sensitive API endpoints to other internal
microservices. These sensitive APIs aren't accessible by outside the
Appsmith container, protected by Caddy's routing.
This means that the backend server's ability to make user-configured
HTTP requests, can lead to SSRFs to such sensitive API calls, if it's
allowed to call APIs on localhost.
In other words, Caddy establishes a trust boundary that protects these
internal APIs from outside the container. But we lack such a trust
boundary for the backend's plugins (API plugin, Elasticsearch plugin,
etc.). This PR solves that.
In this PR, we block both IPv4 and IPv6 loopback addresses.
No additional changes needed on EE, no conflicts, and all unit and
Cypress tests pass.
**/test all**
<!-- This is an auto-generated comment: Cypress test results -->
> [!TIP]
> 🟢🟢🟢 All cypress tests have passed! 🎉🎉🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/9590358198>
> Commit: 5445c70aa873942c3edae9fbfcc57a6d2554b815
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=9590358198&attempt=2"
target="_blank">Cypress dashboard</a>.
> Tags: ``
<!-- end of auto-generated comment: Cypress test results -->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- **New Features**
- Improved handling of disallowed hosts by dynamically computing based
on environment variables, offering more flexibility and control.
- **Refactor**
- Enhanced the `makeWebClient()` method to use a more efficient approach
for creating WebClient objects with custom configurations.
- **Chores**
- Added an `ENV` declaration for `IN_DOCKER` in the Dockerfile to better
manage Docker-specific configurations.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
5a1ec0c591