Webhook array attributes cannot be included in custom templates
Summary
It is possible to configure a custom webhook template so that only the data you're interested in is sent on a webhook, using this syntax:
{
"event": "{{object_kind}}",
"project_name": "{{project.name}}"
}
However, if you attempt to include an array-type attribute such as builds
from the pipeline events webhook:
Example 1
{
"event": "{{object_kind}}",
"project_name": "{{project.name}}",
"jobs": "{{builds}}"
}
This will generate the following error once a webhook is triggered:
Hook execution failed: Error while parsing rendered custom webhook template: expected true (after jobs) at line 4, column 42 [parse.c:121] in '{ "event": "pipeline", "project_name": "<REDACTED>", "jobs": "[{:id=>6880518516, :stage=>"test", :name=>"build", :status=>"success", :created_at=>Fri, 17 May 2024 15:45:00.637785000 UTC +00:00,...}]" }
Naturally, accessing elements in the array renders the same error, preventing users to only include certain elements of the array:
Example 2
{
"event": "{{object_kind}}",
"project_name": "{{project.name}}",
"jobs": "{{builds.id}}"
}
Steps to reproduce
- Configure a project with any of the two example template webhooks.
- Create a pipeline in the project.
- Review the created webhook, to see that it's failing with the described error.
What is the current bug behavior?
Webhook fails as GitLab cannot parse the custom template syntax to include the builds
array.
What is the expected correct behavior?
Webhook is properly sent and array information is included. Users can further include only certain attributes of the included array as desired.
Because webhooks execute around 16 million times per week, the solution must be:
- Secure
- Very quick to render
- Unable to be abused
See #463332 (comment 1923864868).
The implementation must receive an AppSec review.
Output of checks
This bug happens on GitLab.com