Skip to content

Webhook array attributes cannot be included in custom templates

Note

With !197992 (merged), this now works and will output the entire array:

{
  "event": "{{object_kind}}",
  "project_name": "{{project.name}}",
  "jobs": {{builds}}
}

Summary

It is possible to configure a custom webhook template so that only the data you're interested in is sent on a webhook, using this syntax:

{
  "event": "{{object_kind}}",
  "project_name": "{{project.name}}"
}

However, if you attempt to include an array-type attribute such as builds from the pipeline events webhook:

Example 1

{
  "event": "{{object_kind}}",
  "project_name": "{{project.name}}",
  "jobs": "{{builds}}"
}

This will generate the following error once a webhook is triggered:

Hook execution failed: Error while parsing rendered custom webhook template: expected true (after jobs) at line 4, column 42 [parse.c:121] in '{ "event": "pipeline", "project_name": "<REDACTED>", "jobs": "[{:id=>6880518516, :stage=>"test", :name=>"build", :status=>"success", :created_at=>Fri, 17 May 2024 15:45:00.637785000 UTC +00:00,...}]" }

Naturally, accessing elements in the array renders the same error, preventing users to only include certain elements of the array:

Example 2

{
  "event": "{{object_kind}}",
  "project_name": "{{project.name}}",
  "jobs": "{{builds.id}}"
}

Steps to reproduce

  1. Configure a project with any of the two example template webhooks.
  2. Create a pipeline in the project.
  3. Review the created webhook, to see that it's failing with the described error.

What is the current bug behavior?

Webhook fails as GitLab cannot parse the custom template syntax to include the builds array.

What is the expected correct behavior?

Webhook is properly sent and array information is included. Users can further include only certain attributes of the included array as desired.

Because webhooks execute around 16 million times per week, the solution must be:

  • Secure
  • Very quick to render
  • Unable to be abused

See #463332 (comment 1923864868).

The implementation must receive an AppSec review.

Output of checks

This bug happens on GitLab.com

Edited by 🤖 GitLab Bot 🤖