Group webhooks: why can't you mask the host?
When working on a customer ticket concerning masking a Webhook, it became apparent that while you cannot mask the host portion of the URL for group webhooks, you CAN do this for project webhooks.
Our documentation does state the limitation when masking any portion of the host:
The host portion of the URL (such as
webhook.example.com
) must remain valid without using a mask variable. Otherwise, aURI is invalid
orUrl is blocked
error occurs.
The ticket this was first identified for GitLab Dedicated customer, but the same behaviour exists on Self Managed and Gitlab.com
Testing
Error when attempting to block host in group webhook:
While Project webhooks can mask even the whole URL
It is intended that group and project webhooks behave differently with masked segments?
Is there a reason for this?
I came across a related Issue: Update WebHookLog URL sanitisation to support masked segments concerning changing the Project Module from the SafeUrl module which was causing issues, to UrlSanitizer module (MR: Update WebHookLog URL sanitisation to support masked segments)
Is it that the Group Module is still using the SafeUrl module and this is the cause of the different behaviour? (this doesn't shed any light on what the reason would be...)
--