From dec5a2ec964c121894dd7686dab31e4bd05ef2aa Mon Sep 17 00:00:00 2001
From: MarconLP <13001502+MarconLP@users.noreply.github.com>
Date: Fri, 18 Oct 2024 22:42:55 +0200
Subject: [PATCH] fix url check and add tests

---
 .../microsoft_teams/template_microsoft_teams.py  |  3 +--
 .../test_template_microsoft_teams.py             | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/posthog/cdp/templates/microsoft_teams/template_microsoft_teams.py b/posthog/cdp/templates/microsoft_teams/template_microsoft_teams.py
index 8d6263e22cbe3..4881e9520f946 100644
--- a/posthog/cdp/templates/microsoft_teams/template_microsoft_teams.py
+++ b/posthog/cdp/templates/microsoft_teams/template_microsoft_teams.py
@@ -8,8 +8,7 @@
     icon_url="/static/services/microsoft-teams.png",
     category=["Customer Success"],
     hog="""
-// We'll need to check if the url starts with this string instead
-if (not inputs.webhookUrl like 'https://%.webhook.office.com/webhookb2/') {
+if (not match(inputs.webhookUrl, '^https://[^/]+.webhook.office.com/webhookb2/.*')) {
     throw Error('Invalid url');
 }
 
diff --git a/posthog/cdp/templates/microsoft_teams/test_template_microsoft_teams.py b/posthog/cdp/templates/microsoft_teams/test_template_microsoft_teams.py
index 2386bf386899c..0ed5f884ff2e6 100644
--- a/posthog/cdp/templates/microsoft_teams/test_template_microsoft_teams.py
+++ b/posthog/cdp/templates/microsoft_teams/test_template_microsoft_teams.py
@@ -43,3 +43,19 @@ def test_only_run_for_valid_url(self):
         assert (
             e.value.message == "Invalid url"  # type: ignore[attr-defined]
         )
+
+    def test_only_allow_teams_url(self):
+        for url, allowed in [
+            ["https://max.webhook.office.com/webhookb2/abc", True],
+            ["https://webhook.site/def", False],
+            ["https://webhook.site/def#https://max.webhook.office.com/webhookb2/abc", False],
+        ]:
+            if allowed:
+                self.run_function(inputs=self._inputs(webhookUrl=url))
+                assert len(self.get_mock_fetch_calls()) == 1
+            else:
+                with pytest.raises(Exception) as e:
+                    self.run_function(inputs=self._inputs(webhookUrl=url))
+                assert (
+                    e.value.message == "Invalid url"  # type: ignore[attr-defined]
+                )