Skip to content

Encrypted Web Hook tokens - interpolation

What does this MR do and why?

This adds interpolation of url variables.

URLs may take the form:

http://{user}:{password}@example.com/{path}?token={token}

In this case we expect the hook to define variables for user, password, path, and token, which will be inserted into the URL template where specified during execution.

The interpolated URI is not logged.

URLs must not refer to missing variables, and this is enforced with a new validation.

Existing hooks may violate this validation - if they do, then their URLs will continue to be processed literally, in a backwards compatible fashion.

An existing hook with a URL such as http://example.com/{foo}, will now fail during editing with a validation error.

How to set up and validate locally

No UI exists for this yet, so to test, you will need to use the console.

  1. Create a new web-hook
  2. In rails console, edit the URL, replacing parts with variables:
    hook = project.hooks.first # or something
    hook.update!(url: 'http://example.com/foo/{bar}/baz', url_variables: { 'bar' => 'wibble' })
  3. Trigger the hook
  4. See that:
    1. the hook is correctly executed
    2. the variables do not appear in log output or in the web-hook logs interface.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #361124 (closed)

Edited by Alex Kalderimis

Merge request reports

Loading