Skip to content

Fix potential security issues in webhook payloads

Report

Summary

GitLab introduced a new group Webhook event for premium users in version 13.7 (documentation). This webhook sends information to a configured URL whenever a user is added or removed from the group. The requests made to the URL contains the added user's primary (hidden) email address.

During the review process of bug fix for the issue #364266, a suspicion arose regarding a similar security leak in other related areas (webhook events). This issue is created as a follow up based on the review comment to investigate and address the security flaw.

As part of this issue, we need to:

  1. Investigate webhooks that might be leaking private emails
  2. Redact private email as it is done in this issue.