Skip to content

system webhook triggers on many unselected events

Summary

We have a system webhook, which is configured for tag push events. It is receiving many other kinds of events, some containing personal data which ought not to be in the webhook target's logs.

Steps to reproduce

  1. Set up some kind of web service which can receive and record POST requests.
  2. In a self-hosted gitlab instance
  3. Configure a system webhook to trigger only on tag push events.
  4. Add a user to a team

Expected behaviour

No webhook is sent.

Actual behaviour

gitlab sends a webhook with "event_name": "user_add_to_team".

Other unwanted events being generated include project_update, user_destroy, user_crate, user_failed_login (!)

Relevant logs and/or screenshots

Example unwanted webhook event

Here is a log entry from our system webhook target service, for an unwanted event.

The full webhook payload is shown in raw=..... Note that the syntax isn't JSON - the log entry shows the Rust Debug output for a serde_json::Value resulting from parsing the JSON, rather than the unparsed JSON. It does represent the whole JSON Object in the webhook payload.

2025-07-30T03:16:40.666497Z DEBUG tag2upload_service_manager::webhook: ignored: from [2607:f8f0:614:1::1274:44]: unprocessable: tag is not for us: unexpected/incomplete JSON payload: inappropriate payload: missing field `object_kind`; request = { .. }, raw=Object {"created_at": String("2018-05-31T18:10:40Z"), "event_name": String("project_update"), "name": String("binutils-avr"), "owner_email": String(""), "owner_name": String("Debian"), "owners": Array [Object {"email": String("[REDACTED]"), "name": String("Administrator")}], "path": String("binutils-avr"), "path_with_namespace": String("debian/binutils-avr"), "project_id": Number(27208), "project_namespace_id": Number(2), "project_visibility": String("public"), "updated_at": String("2025-07-30T03:16:40Z")}

Screenshot of the configuration

salsa-tag2upload-system-hook

GitLab environment

This is happening for me on Debian's gitlab instance, salsa.debian.org. Salsa is running:

GitLab Community Edition v17.11.6.

I'm not the gitlab administrator; I'm an operator of the service which is the webhook target and is receiving the unwanted events.

Possible fixes

Don't send events that weren't requested in the configuration.

Edited by 🤖 GitLab Bot 🤖