Skip to content
GitLab
Next
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • GitLab GitLab
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 54.9k
    • Issues 54.9k
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
    • Requirements
  • Merge requests 1.5k
    • Merge requests 1.5k
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GitLab.orgGitLab.org
  • GitLabGitLab
  • Issues
  • #373819
Closed
Open
Issue created Sep 14, 2022 by Mansoor Khan@khanmansoor2️⃣Developer

Fix potential security issues in webhook payloads

Report

Summary

GitLab introduced a new group Webhook event for premium users in version 13.7 (documentation). This webhook sends information to a configured URL whenever a user is added or removed from the group. The requests made to the URL contains the added user's primary (hidden) email address.

During the review process of bug fix for the issue #364266, a suspicion arose regarding a similar security leak in other related areas (webhook events). This issue is created as a follow up based on the review comment to investigate and address the security flaw.

As part of this issue, we need to:

  1. Investigate webhooks that might be leaking private emails
  2. Redact private email as it is done in this issue.
Assignee
Assign to
Time tracking