Bamboo 10.x WebhookTransport URL validation rejects valid internal URLs with non-standard TLDs causing "URL is invalid" / InvalidWebhookUrlException.

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Low
    • 10.2.21, 12.1.9
    • Affects Version/s: 10.2.13, 10.2.19
    • Component/s: Security
    • None
    • 1
    • Severity 2 - Major
    • 3

      Issue Summary

      Bamboo 10.x WebhookTransport URL validation rejects valid internal URLs with non-standard TLDs (e.g., .das), causing webhook notifications to fail with "URL is invalid" / InvalidWebhookUrlException

      Webhook notifications are a critical integration mechanism in Bamboo, commonly used to:

      • Trigger downstream CI/CD pipelines and deployment orchestration
      • Send build/deployment status to observability platforms
      • Alert incident management systems
      • Feed audit and compliance logging systems

      Steps to Reproduce

      1. Upgrade Bamboo to version 10.2.13
      2. Navigate to a Plan → Notifications → Add Notification
      3. Select "Webhooks" as the recipient type
      4. Enter a webhook URL with a non-standard/internal TLD,
      5. `e.g.: https://webhook.example.internal.das
      6. Click "Add"

      Expected Results

      The webhook URL is accepted and notifications are sent successfully, as the URL is syntactically valid and reachable from the Bamboo server. This worked correctly in Bamboo 9.x and earlier.

      Actual Results

      The UI displays "URL is invalid" and the notification cannot be saved. Additionally, any previously-saved webhooks using non-standard TLDs fail at dispatch time.

      The below exception is thrown in the atlassian-bamboo.log file:

      ERROR [18-NotificationDispatcher-:pool-19-thread-151364] [WebhookTransport] URL validation failed. URL: https://webhook.example.internal.das:443/endpoint
ERROR [18-NotificationDispatcher-:pool-19-thread-151364] [WebhookTransport] [Webhook id=XXXXXXXXX, name=Webhook Name, uuid=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX] Webhook has not been sent
com.atlassian.bamboo.notification.exception.InvalidWebhookUrlException: URL failed validation after variable substitution. This may indicate malicious content in variable values.
    at com.atlassian.bamboo.notification.transports.webhook.WebhookTransport.validateSubstitutedUrl(WebhookTransport.java:126) ~[atlassian-bamboo-core-10.2.13.jar:?]
    at com.atlassian.bamboo.notification.transports.webhook.WebhookTransport.sendNotification(WebhookTransport.java:97) ~[atlassian-bamboo-core-10.2.13.jar:?]
    at com.atlassian.bamboo.notification.NotificationDispatcherImpl.lambda$dispatchNotifications$0(NotificationDispatcherImpl.java:72) ~[atlassian-bamboo-core-10.2.13.jar:?]

      Notes:

      • URLs with non-standard TLDs (e.g., .das, .local, .corp) — FAIL
      • URLs with standard TLDs (e.g., .com, .net, .org) — PASS
      • The URL is reachable from the Bamboo server (confirmed via network connectivity)

      Workaround

      Adding a host file entry on the Bamboo server that maps a standard-TLD hostname (e.g., webhook.example.internal.com) to the IP address of your endpoint and use the .com alias in the webhook URL.

              Assignee:
              Alina-Maria Beg
              Reporter:
              AP
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: