fix(dingtalk): enforce origin validation for session webhooks

[Dusk1e]

Summary

Implemented origin validation for metadata["session_webhook"] in DingTalkAdapter.send() to prevent potential SSRF vulnerabilities.

Problem

Previously, the outbound send() method used the webhook URL from metadata without validation. While inbound requests had origin checks, an attacker could bypass this by providing a malicious webhook URL in the session metadata, potentially reaching internal network services.

Changes

• Validation Logic: Added a whitelist check in gateway/platforms/dingtalk.py to ensure only official DingTalk domains (e.g., oapi.dingtalk.com) are targeted.
• Regression Tests: Added tests in tests/gateway/test_dingtalk.py to verify:
  • Successful delivery to valid DingTalk URLs.
  • Rejection of unauthorized origins (e.g., evil.example).

Impact

Significantly improves security by closing a metadata-based SSRF vector in the DingTalk gateway adapter.

[teknium1]

Closing — session-webhook origin validation was added to main in commit 37bb4f8 (fix(dingtalk,api): validate session webhook URL origin, cap webhook cache, reject header injection), before this PR was opened. The current regex on main was further updated in #11471 to accept oapi.dingtalk.com in addition to api.dingtalk.com.

Thanks for the security attention.