Skip to content

fix(parser): prevent webhook body with 'key' field from being silently dropped (fixes #5333)#6230

Open
asheesh-devops wants to merge 1 commit intokeephq:mainfrom
asheesh-devops:fix/5333-webhook-key-collision
Open

fix(parser): prevent webhook body with 'key' field from being silently dropped (fixes #5333)#6230
asheesh-devops wants to merge 1 commit intokeephq:mainfrom
asheesh-devops:fix/5333-webhook-key-collision

Conversation

@asheesh-devops
Copy link
Copy Markdown

@asheesh-devops asheesh-devops commented Apr 9, 2026

Summary

Fixes a bug where a workflow step POSTing a JSON body with a field named "key" would silently discard all other fields, sending only the value of the "key" field as a string instead of the full JSON object.

Root Cause

In parse_provider_parameters(), when a parameter value is a dict, the code unconditionally attempts to coerce it into a StepProviderParameter(**dict). Since StepProviderParameter only requires a key field:

class StepProviderParameter(BaseModel):
    key: str
    safe: bool = False
    default: str | int | bool = None

Any user dict containing a "key" field is silently converted — all other fields are discarded:

# User workflow:
body:
  key: ALERT
  host: "{{alert.service}}"
  time: "{{alert.lastReceived}}"

# What gets sent: "ALERT" (just the key value, everything else lost!)

The Fix

Only attempt StepProviderParameter coercion when the dict exclusively contains its known fields (key, safe, default):

# Before (broken):
try:
    parsed = StepProviderParameter(**param_value)  # Any dict with "key" gets coerced!
except Exception:
    parsed = param_value

# After (fixed):
known_fields = {"key", "safe", "default"}
if param_value.keys() <= known_fields and "key" in param_value:
    # Only coerce dicts that look like a StepProviderParameter
    parsed = StepProviderParameter(**param_value)
else:
    # User dict with extra fields — preserve as-is
    parsed = param_value

Changes

  • keep/parser/parser.py — add field validation before StepProviderParameter coercion in parse_provider_parameters()

Testing

  • A dict like {"key": "ALERT", "host": "...", "time": "..."} now passes through as-is (has extra fields beyond key/safe/default)
  • A dict like {"key": "alert.name"} still correctly becomes a StepProviderParameter (only known fields)
  • A dict like {"key": "alert.name", "safe": true, "default": "N/A"} still correctly becomes a StepProviderParameter
  • The <= (subset) check ensures forward compatibility if StepProviderParameter gains new optional fields

Fixes #5333

@asheesh-devops
fix(parser): prevent user dicts with 'key' field from being coerced t…
719e069 
…o StepProviderParameter (fixes keephq#5333)

Only attempt StepProviderParameter coercion when the dict exclusively
contains known fields (key, safe, default). User dicts with additional
fields like host, time, message are now preserved as-is.
@dosubot dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. Bug Something isn't working labels Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Bug Something isn't working size:S This PR changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[🐛 Bug]: WebHook provider cannot POST a JSON message with a key named "key".

1 participant

@asheesh-devops