Skip to content

Block recursive web hooks

Luke Duncalfe requested to merge 329743-block-recursive-webhooks into master

What does this MR do and why?

A previous MR !75821 (merged) added logging of recursive webhooks. This MR now blocks recursive webhooks in addition to logging them.

See feature issue: #329743 (closed).

How to set up and validate locally

Setup

  1. To allow testing locally, allow webhooks requests to your localhost:
    1. Go Admin > Settings > Network (/admin/application_settings/network).
    2. Expand Outbound requests.
    3. Check Allow requests to the local network from web hooks and services.
    4. Click Save changes.
  2. Create a private token (/-/profile/personal_access_tokens).
  3. Choose a project that:
    1. you have admin rights to
    2. has a merge request
  4. Add a new Webhook to the project:
    1. Go Settings > Webhooks.
    2. For URL add http://127.0.0.1:3000/api/v4/projects/<project-id>/merge_requests/<merge-request-iid>/add_spent_time?duration=3m&private_token=<your-token>, replacing the three placeholders with the correct details.
    3. For Trigger select "Merge request events".
    4. Uncheck Enable SSL verification.
    5. Save the Webhook.

Trigger the recursion

Tail the auth logs from your terminal: tail -f log/auth.log.

Go to the merge request and update its description.

On master the Webhook will fire recursively and log to logs/auth.log each time.

On this branch, the Webhook will instead only fire once and log to logs/auth.log once.

View the Webhook details

  1. Go Settings > Webhooks.
  2. Scroll down to your webhook, and click Edit.
  3. Scroll down to Recent events.

You should only see a single event.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #329743 (closed)

Edited by Luke Duncalfe

Merge request reports