ClosedBug Report: Github webhook not working after Cyberpanel Upgrade

Hello!

After upgrading to 2.4.2, the GitHub webhook stopped working properly. Configuration in Git side is good, and it seems to be delivering. The issue is that cyberpanel is not handling the requests properly, so the “Pull” command is never being executed, and neither are the commands.

According to github, this is the response being sent by CyberPanel:

{"error_message": "API request contains potentially dangerous characters: `;`, `&&`, `||`, `|`, `` ` ``, `$`, `../` are not allowed.", "errorMessage": "API request contains potentially dangerous characters."

And the request payload (I redacted it, but none of the mentioned characters were present):

{
  "ref": "refs/heads/develop",
  "before": "17b33c7055ec17944ce61259205e634279fbf5b4",
  "after": "77686a0a086fe45b08a98750587dc9f469fb2ddb",
  "repository": {
    "id": "[REDACTED]",
    "node_id": "[REDACTED]",
    "name": "[REDACTED]",
    "full_name": "[REDACTED]",
    "private": true,
    "owner": {
      "name": "[REDACTED]",
      "email": "[REDACTED]",
      "login": "[REDACTED]",
      "id": "[REDACTED]",
      "node_id": "[REDACTED]",
      "avatar_url": "[REDACTED]",
      "gravatar_id": "",
      "url": "[REDACTED]",
      "html_url": "[REDACTED]",
      "followers_url": "[REDACTED]",
      "following_url": "[REDACTED]",
      "gists_url": "[REDACTED]",
      "starred_url": "[REDACTED]",
      "subscriptions_url": "[REDACTED]",
      "organizations_url": "[REDACTED]",
      "repos_url": "[REDACTED]",
      "events_url": "[REDACTED]",
      "received_events_url": "[REDACTED]",
      "type": "User",
      "user_view_type": "public",
      "site_admin": false
    },
    "html_url": "[REDACTED]",
    "description": null,
    "fork": false,
    "url": "[REDACTED]",
    "forks_url": "[REDACTED]",
    "keys_url": "[REDACTED]",
    "collaborators_url": "[REDACTED]",
    "teams_url": "[REDACTED]",
    "hooks_url": "[REDACTED]",
    "issue_events_url": "[REDACTED]",
    "events_url": "[REDACTED]",
    "assignees_url": "[REDACTED]",
    "branches_url": "[REDACTED]",
    "tags_url": "[REDACTED]",
    "blobs_url": "[REDACTED]",
    "git_tags_url": "[REDACTED]",
    "git_refs_url": "[REDACTED]",
    "trees_url": "[REDACTED]",
    "statuses_url": "[REDACTED]",
    "languages_url": "[REDACTED]",
    "stargazers_url": "[REDACTED]",
    "contributors_url": "[REDACTED]",
    "subscribers_url": "[REDACTED]",
    "subscription_url": "[REDACTED]",
    "commits_url": "[REDACTED]",
    "git_commits_url": "[REDACTED]",
    "comments_url": "[REDACTED]",
    "issue_comment_url": "[REDACTED]",
    "contents_url": "[REDACTED]",
    "compare_url": "[REDACTED]",
    "merges_url": "[REDACTED]",
    "archive_url": "[REDACTED]",
    "downloads_url": "[REDACTED]",
    "issues_url": "[REDACTED]",
    "pulls_url": "[REDACTED]",
    "milestones_url": "[REDACTED]",
    "notifications_url": "[REDACTED]",
    "labels_url": "[REDACTED]",
    "releases_url": "[REDACTED]",
    "deployments_url": "[REDACTED]",
    "created_at": 1715705452,
    "updated_at": "[REDACTED]",
    "pushed_at": 1751470088,
    "git_url": "[REDACTED]",
    "ssh_url": "[REDACTED]",
    "clone_url": "[REDACTED]",
    "svn_url": "[REDACTED]",
    "homepage": null,
    "size": 12949,
    "stargazers_count": 1,
    "watchers_count": 1,
    "language": "JavaScript",
    "has_issues": true,
    "has_projects": true,
    "has_downloads": true,
    "has_wiki": false,
    "has_pages": false,
    "has_discussions": false,
    "forks_count": 0,
    "mirror_url": null,
    "archived": false,
    "disabled": false,
    "open_issues_count": 0,
    "license": null,
    "allow_forking": true,
    "is_template": false,
    "web_commit_signoff_required": false,
    "topics": [],
    "visibility": "private",
    "forks": 0,
    "open_issues": 0,
    "watchers": 1,
    "default_branch": "master",
    "stargazers": 1,
    "master_branch": "master"
  },
  "pusher": {
    "name": "[REDACTED]",
    "email": "[REDACTED]"
  },
  "sender": {
    "login": "[REDACTED]",
    "id": "[REDACTED]",
    "node_id": "[REDACTED]",
    "avatar_url": "[REDACTED]",
    "gravatar_id": "",
    "url": "[REDACTED]",
    "html_url": "[REDACTED]",
    "followers_url": "[REDACTED]",
    "following_url": "[REDACTED]",
    "gists_url": "[REDACTED]",
    "starred_url": "[REDACTED]",
    "subscriptions_url": "[REDACTED]",
    "organizations_url": "[REDACTED]",
    "repos_url": "[REDACTED]",
    "events_url": "[REDACTED]",
    "received_events_url": "[REDACTED]",
    "type": "User",
    "user_view_type": "public",
    "site_admin": false
  },
  "created": false,
  "deleted": false,
  "forced": false,
  "base_ref": null,
  "compare": "[REDACTED]",
  "commits": [
    {
      "id": "77686a0a086fe45b08a98750587dc9f469fb2ddb",
      "tree_id": "5893ec139285f8f5b00890a815a6ae0b66627db2",
      "distinct": true,
      "message": "improving template",
      "timestamp": "2025-07-02T17:28:02+02:00",
      "url": "[REDACTED]",
      "author": {
        "name": "[REDACTED]",
        "email": "[REDACTED]"
      },
      "committer": {
        "name": "[REDACTED]",
        "email": "[REDACTED]"
      },
      "added": [],
      "removed": [],
      "modified": [
        "index.php"
      ]
    }
  ],
  "head_commit": {
    "id": "77686a0a086fe45b08a98750587dc9f469fb2ddb",
    "tree_id": "5893ec139285f8f5b00890a815a6ae0b66627db2",
    "distinct": true,
    "message": "improving template",
    "timestamp": "2025-07-02T17:28:02+02:00",
    "url": "[REDACTED]",
    "author": {
      "name": "[REDACTED]",
      "email": "[REDACTED]"
    },
    "committer": {
      "name": "[REDACTED]",
      "email": "[REDACTED]"
    },
    "added": [],
    "removed": [],
    "modified": [
      "index.php"
    ]
  }
}

It was working properly until I upgraded (I don’t remember my previous version).

To Reproduce
What steps did you take when the issue occurred?

1. In websites, click on Manage Git
2. Configure the webhook in the Git integration, to automatically pull from main after a commit
3. The webhook won’t trigger anything in CyberPanel

Expected behavior
The webhook should trigger dbt pull and the post-pull commands

Server Details

Server Version: Ubuntu 20.04

Current Version: 2.4
Build: 2
Current Commit: 3e458c635eec765770521572ac92ccbb03e1bdfa
Latest Version: 2.4
Latest Build: 2
Latest Commit: 08f019c6c61fd9fc5d0cfc72cb0b2f306c403890

This is a known bug in CyberPanel v2.4.2 where the security middleware incorrectly blocks webhook payloads containing JSON characters like {}.

Root Cause:
The security filter treats legitimate GitHub webhook JSON data as “dangerous characters” even though webhook endpoints should be excluded from these checks.

Fix:
I’ve identified the issue in the security middleware and pushed to v2.4.2 branch, you can upgrade now.

Thanks for reporting this - it helps us improve CyberPanel for everyone!

Thanks for answering so quickly!

I upgraded the CyberPanel to the latest commit now, but the issue persists.

Should I manually restart the service or the issue should have already been fixed after the auto-update?

Can you try by upgrading again ?

Still not accepting.

Maybe we can filter by .find(‘webhook’) or by the user agent itself?

User-Agent: GitHub-Hookshot/{some_hash}

check now?

Still:

{"error_message": "API request contains potentially dangerous characters: `;`, `&&`, `||`, `|`, `` ` ``, `$`, `../` are not allowed.", "errorMessage": "API request contains potentially dangerous characters."}

Request url:

https://<my_ip>:<my_port>/websites/<my_website>/webhook

I will set up a repo on my end

checked on my end, it is fine now you can upgarde.

Now it’s solved. I upgraded it using the bash script instead of the UI tool.

Thank you very much for fixing it so quickly!