►
From YouTube: Mercado Libre's SAST Team and CodeQL #DemoDays
Description
Mercado Libre (NASDAQ: MELI) is Latin America’s leading e-commerce platform, and LATAM's most valuable company by market capitalization.
In this edition of Demo Days, we join MELI's Static Application Security Testing (SAST) team. We’ll learn about their unique approach to application security, and how they are using GitHub CodeQL to secure the code that powers a platform with over 132M active users.
Valeria: https://www.linkedin.com/in/valeria-silvestri/
Camila: linkedin.com/in/camila-seoane-053361227
Natalia: https://www.linkedin.com/in/natalia-lucia-pesaresi-b835a1183/
Lucia: https://www.linkedin.com/in/lucia-ines-romero-4a099114a/
https://codeql.github.com/
A
Hello,
hello:
everyone
welcome
back
to
demo
days
thanks.
Everyone
for
joining
us
today
today
is
going
to
be
particularly
exciting,
as
instead
of
us
talking
about
how
we
do
things
at
github
we're
going
to
explore
application
security
from
the
perspective
of
one
of
the
largest
e-commerce
platforms
in
latin
america.
B
C
That's
right,
joseph
thank
you
so
much
everyone
for
joining
us
and
we
are
super
thrilled
to
be
joined
by
this
power
team
of
engineers,
ready
to
dig
in
they're
going
to
share
their
experience
with
us.
How
they've
been
utilizing
cookie
well
and
over
all
their
experience
with
star
application
security
testing.
So
without
further
ado,
let's
get
started.
Welcome,
valeria,
natalia
lucia
camilla.
Welcome.
Welcome,
thank
you
for
being
here
with
us
today
joseph
go
right
in.
D
C
E
Yeah
sure,
as
luciasl,
our
main
goal
is
to
catch
vulnerabilities
before
they
get
to
production.
So
the
first
place
where
we
want
to
be
is
scanning
pull
requests
right,
so
we
scan
for
requests
looking
for
mercado
libre's,
most
common
vulnerabilities,
and
when
we
find
some,
we
block
the
pull
request.
That
is,
you
can't
merge
until
you
fix
it,
and
a
blocking
pull
request
is
a
big
deal.
You
know
with
great
power
comes
great
responsibilities
and
static.
E
Analysis
comes
with
false
positives,
that's
how
it
is
so
developers
they
can
report
these
false
positives,
and
this
will
stop
blocking
the
pull
request
and
then
later
we'll
review
these
reports
and
use
the
feedback
to
improve
our
queries.
E
That's
our
main
goal:
that's
the
the
first
thing
we
implemented,
but
then
we
said
we
can't
stop
here
and
so
from
a
security
perspective.
You
don't
want
to
know
only
the
new
vulnerabilities.
We
you
want
to
know
all
of
them,
so
we
started
scanning
the
whole
code
base
and
looking
for
legacy
vulnerabilities
and,
on
the
other
hand,
developers
started
asking
us
for
a
way
to
run
this
scan
on
their
own
computers
before
pushing
a
change
to
a
repository.
E
So
we
developed
also
a
command
line
tool
that
they
could
run
in
their
local
environment.
It
would
output
the
results
in
a
serif
format,
so
they
can
see
them
in
visual
studio
and
I
think
that's
a
good
sum
up
of
what
we're
doing
in
soft.
C
That's
amazing,
thank
you
so
much
for
sharing
and
also
thank
you
for
showing
love
to
the
legacy
code
basis.
That's
something
that
not
all
teams
take
care
of,
and
you
know
it's
important
to
get
over
that
technical
debt,
especially
when
it
comes
to
security.
So
natalia
question
for
you
because
of
course,
maybe
you
used
another
tool
in
the
past.
I'd
love
to
know
if
you
or
your
team
have
used
any
other
sas
tools
before.
F
B
D
Okay,
the
first
time
we
heard
about
codeql
was
back
in
2019.
I
think
we
learned
about
microsoft
experience
and
we
thought
you
know
yeah,
that's
exactly
what
we
need,
but
later
in
2020
last
year,
when
assembly
joined
github,
we
are
here
in
mecca
olivia.
We
got
github
enterprise.
So
that's
when
our
journey
with
ql
started.
C
Yeah
such
a
great
partnership
there
we
love
that
team
that
horse
went
through
so
all
right,
well
wondering
about.
You
know
the
beginning,
learning
new
things:
natalia
camilla,
I
love.
If
you
could
share
a
little
bit
about
how
you
personally
got
started,
writing
queries.
C
Was
it
difficult
just
a
little
bit
of
sort
of
your
journey?
Ramping
up
it'd
be
great
if
we
could
share
with
our
audience.
F
Yes,
it
was
a
lot
of
trial
and
error.
Some
some
steps
were
easier
than
other,
but
we
just
first.
We
searched
the
cochlear
repository
for
examples
because
we
didn't
know
about
the
language
and
there
are
lots
of
queries
in
all
the
language
supported,
so
it
was
held
for
for
us.
Then
we
had
training
sessions
with
the
github
team
to
solve
a
specific
problems
we
were
having
with
with
some
things
and
when
we
were
ready,
we
wrote
our
own
documentation
and
our
workshops
for
our
mates,
so
camilla
took
one
of
those
workshops.
G
Yes,
in
my
case,
I
participated
in
the
internal
cultural
training
that
the
girl
did
where
they
took
the
github
training
as
a
basis.
The
documentation
that
they
were
peering
together
was
very,
very
useful
for
me,
where
I
had
step
by
step
on
how
to
fail
learning
in
order
to
get
to
the
point
of
making
my
own
query
and
improving
the
existing
queries,
it
was
very
helpful
to
do
a
research
on
the
queries
that
they
already
had
implemented.
There
was
also
a
lot
of
trial
and
error.
Yes,.
B
G
Yes,
the
four,
the
four
of
user,
the
qr
developers
maintain
were
the
ones
who
write
to
queries
to
scan
and
block
pull
requests.
We
need
to
achieve
a
high
quality
standard.
We
also
tell
qr
to
the
rest
of
the
application
security
team.
Some
of
them
write
a
quick
queries
to
assist
them
in
pen
test.
E
Okay,
camila
said
our
main
goal
is
usually
to
find
vulnerabilities.
E
So
when
you
want
to
write
a
new
query,
the
first
thing
we
do
is
to
decide
like
a
generic
pattern
that
describes
this
vulnerability,
and
then
we
start
searching
on
the
mercado
libres
code
to
find
the
many
variants
in
this
where
vulnerability
could
appear,
because
developers
can
get
really
creative,
so
yeah.
We
need
to
to
know
all
these
different
ways
of
doing
the
same
thing
and
then,
of
course,
we
also
need
to
know
how
to
fix
this
vulnerability
and
again
the
many
ways
of
fixing
it.
E
So
once
we
had
all
these
these
examples
and
we
start
writing
the
actual
query
and
we
try
to
support
at
least
most
of
the
bad
cases
and
the
good
cases
right
and
the
whole
thing
about
this
process
is
that
once
you're
done
you're
aware
of
most
of
the
false
positives
and
false
negatives,
you
can
get
right
because
you
first
had
the
examples.
E
The
the
other
use
for
call
qa
here
at
marco
liure
is
usually
related
to
interesting
for
code
exploration
in
the
recon
stage.
Culturally
is
very
useful
to
list
all
the
end
points
and
map
the
attack
surface.
So
that's
the
other
guys.
C
That's
so
interesting.
Thank
you
so
much
for
sharing
that
I
love
I
mentioned
that
developers
are
very
creative,
yeah,
of
course,
and
then
it
takes
you
know.
Obviously
it
takes
a
great
team
of
super
smart
folks
like
yourselves
to
stay
on
top
of
everything
that
comes
in
to
making
sure
that
code
is
secured.
So
that's
amazing,
thank
you
for
sharing
that
another
amazing
component
to
cook
ql
itself.
Of
course,
it's
equal
system,
the
fact
that
the
queries
are
open
source
and
you
touch
a
little
bit
about
how
you
started.
C
D
D
So
we
have
to
model
those
those
private
libraries
we
have
a
bunch
of
them,
and
so
we
have
to
model
that
and
then
extend
these
open
source
queries,
but
we
even
model
quite
a
different
pattern
for
some
queries
due
to
our
internal
architecture
and
as
bali
said
before
as
the
way
things
are
done
here
in
belka
libre,
so
also
because
of
the
way
we're
using
coql.
D
As
wally
said
before
in
our
continuous
integration
pipeline
and
block
input
requests,
we
needed
the
queries
to
be
like
extremely
accurate,
so
we
pay
close
attention
to
reducing
positives
modeling,
a
significant
number
of
sanitizers
and
sanitized
cigars.
D
They
have
for
those
in
in
the
medium
sanitizer
guys
are
like
in
transitions
like
in
simple
words,
functions
that
make
your
code
safe
so
and
these
sanitizers,
and
also
this
quite
of
unique
way.
We
model
some
vulnerable
patterns
are
the
new
contributions
that
we
made
to
the
calculus
repository,
so
two
server
side
request.
Forgery.
Queries
are
now
in
the
experimental
folder
for
both
both
go
and
javascript.
C
Thank
you
so
much.
I
was
going
to
ask
you
about
that.
Actually,
next,
obviously,
because
the
nature
of
the
queries
being
open
source
and
the
fact
that
you're
now
contributing
back,
why
it's
so
important,
you
know
to
look
a
little
bit
beyond
consumption
and
start
seeing
how
you
can
contribute,
for,
I
guess
the
greater
good
of
the
ecosystem
joseph.
Do
you
got
any
thoughts
on
that?
C
I
know
this
is
something
that
we
talk
about
a
lot
internally,
about
the
importance
of
contributing
to
open
source,
how
you
know,
maybe
going
beyond
finding
your
solution
and
seeing
how
you
can
help
others
find
their
solutions
right.
B
Of
course,
open
source
is
all
about
giving
back
to
the
community,
and
here
at
github
we
have.
We
have
a
community
of
people
contributing
back
to
cyber
security
through
code
12
queries.
One
of
these
are
with
us
today
and
thank
you
so
much
again
for
being
with
us,
but
we
also
have
a
huge
amount
of
people
that
love
cyber
security
and,
of
course,
they'll
have
to
give
back
to
us
their
knowledge
through
codifying
this
knowledge
in
code
ql.
B
C
You
said
it:
that's
that's
the
beauty
of
it.
Yes
for
sure,
so
I'm
definitely
a
huge
advocate
for
that,
and
I
know
this
team
is
being
as
they're
contributing
back
to
the
ecosystem,
so
lucia
you
mentioned.
There
are
two
now
queries
that
are
available
that
you
contributed
back,
maybe
at
the
end
of
the
show,
we
can
link
that
in
our
notes.
C
Aj
in
the
production
booth
can
link
that
to
the
notes,
so
that
folks,
who
are
watching,
can
take
a
look
and
then
just
kind
of
explore
and
see
what
what
you
give
them
back
and
then
maybe
you
can
give
people
ideas
on
how
they
can
actually
start
getting
their
queries.
Ready
to,
you
know,
go
back
into
the
contribution,
so
that's
awesome.
C
C
Well,
we'll
go
back
in
touching
into
open
source
a
little
bit
later,
but
then
I'm
gonna
pass
it
on
to
joseph
now,
and
we
have
a
question
for
everybody
joseph.
If
you
wouldn't
mind
asking
and
then
maybe
after
that,
we
can
take
a
look
through
the
chat
and
see
if
there
are
any
questions
for
either
joseph
myself
or
the
team.
Anything
that
we
can.
You
know,
help
the
folks
who
are
watching
so
that
they
can
get
started
in
their
journey
with
coql
or
anything
that
they
can
learn
from
this
amazing
sas
team.
B
G
F
D
So,
for
me,
one
of
the
most
important
things
to
consider
is
to
contribute
with
a
solution
to
a
problem
that
has
no
solution
at
the
time.
For
sure
you
could
code.
I
don't
know
a
jason
double,
it
doesn't
say
some
web
token
library
that
is
better
than
any
library
made
before,
but
it's
kind
of
odd.
D
So
if
this
is
your
first
time
contributing
to
open
source,
keep
it
simple,
so
I
guess
the
most
organic
way
to
contribute
is
you
know
you
have
a
problem,
maybe
at
work
or
maybe
while
you're
studying
whatever,
and
there
is
no
solution,
at
least
in
the
open
source
community.
D
So
there
you
have,
you
could
build
that
up
and
then
maybe
make
a
request
if
this
is
an
addition
to
an
existing
project
but
and
a
big
fact
here,
if
it's
not
if
you're,
considering
like
creating
a
new
framework
or
library
or
whatever,
you
have
to
be
aware
of
the
responsibilities
that
come
with
that
project.
You
know
no
security
team
wants
yet
another
of
an
open
source
library
in
the
wild.
D
So
no
security
upgrades-
and
I
don't
know-
maybe
then
a
mysterious
developer-
comes
to
save
the
day
and
take
care
of
the
orphan
library.
No,
I
think
that
we
all
know
how
that
ends.
So
maybe
a
good
way
of
contributing
for
the
first
time
is
to
add
some
functionality
to
an
existing
project.
You
know,
maybe,
when
you
are
already
using
it.
E
Yeah,
I
I
think
contributing
to
open
source
is
a
lot
about
giving
back
to
the
community.
I
wanted
to
talk
about
our
experience
and
contributing
to
cultural
and,
with
the
server
side
requests
for
free
inquiries.
We
we
have
our
queries
that
they
were
running.
We
we
knew
they
worked
because
we
use
it
here
in
america,
but
and
what
I
want
to
to
tell
us
advice
is:
it
will
take
time
to
contribute.
E
You
have
to
adapt
that
query
to
the
open
source
repository
that
may
have
a
different
quality
standards
and
they
may
ask
a
form
for
changes
or
corrections
or
whatever,
and
so
that
takes
time
and
effort,
but
I
think
it's
it's
worth
it
because
in
the
end,
you
end
up
with
a
better
query
for
yourself
too,
so
that
it's
it's
a
it's
a
great
experience
and
we
hope
we
can
find
another
query
to
give
back
to.
C
Thank
you,
that's.
This
is
some
of
the
best
advice
I've
heard
lately,
like
I'm
taking
notes
myself.
I
hope
the
folks
who
are
joining
us
are
also
taking
notes.
Thank
you
so
much
for
being
so
open
to
sharing
candidly
advice
like
this.
It's
free
for
you
today
watching
demo
days
and
security,
but
it
does
not
come
easy
and
I
know
the
four
of
you
are
speaking
from
experience,
which
is
so
incredibly
valuable.
So
thank
you
so
much.
I
agree
with
lucas
kundari.
C
We
have
lucas
on
the
chat,
saying
you
are
impressive
professionals,
because,
yes,
of
course
you
are
thank
you
thank
you.
So
we
have
a
question
from
folks
who
have
been
taking
a
look,
and
I
think
maybe
valeria
you
can
help
us
with
this
one,
and
this
is
a
good
one.
So
how
do
you
go
about
choosing
what
query
to
build?
First.
E
Okay,
yeah
good
question
and
first
you
you
need
to
have
a
problem.
So
usually
in
a
company
like
marco
libre,
you
have
a
different
resources
that
report
vulnerabilities,
maybe
a
backbone
t
program.
Maybe
an
internal
issue
tracker
I
don't
know,
but
you
have
to
take
a
a
lot
of
metrics
check
what
what's
the
the
worst
one
for
you
right
for
your
context,
and
you
want
to
choose
a
vulnerability
and
a
language,
because
it
is
an
essential
query
for
javascript
or
golang
or
shawa
or
whatever.
E
E
So
it's
usually
about
a
information
which
query
which
vulnerability
do
you
have
more
information
about
and
which
ones
are
maybe
the
most
critical
for
you
or
them
like
you
have
a
lot
of
them
right
would
say
sorry,
I
would
suggest
a
going
for
a
quick
win
first
and
then
a
adding
effort
to
two
dollars.
F
C
Of
course,
when
you're
doing
your
job
so
well
that
there's
gonna
be
right,
you're
gonna
run
the
risk
of
having
those
false
positives
and
I'm
assuming.
Obviously
that
comes
from
experience
and
understanding
the
patterns.
And
then
you
know
you
just
get
better
at
it
right,
but
I
can
see
how
folks
will
get
really.
You
know
a
little
bit
on
edge
anything
that
kind
of
stops
functionality.
So
that's
awesome,
though,
thank
you
so
much
for
sharing.
I
appreciate
that
advice.
I
think
there
is
another
question
about
limitations.
C
B
D
Okay,
I
I
think
I
have
like
different
things
to
to
answer
to
that.
First
of
all,
I
think
that
out
the
scale
of
maca,
liver
and
also
what
I
said
before
being
in
the
continuous
integration
pipeline
and
blocking
the
request,
we
had
to
be
really
careful
with
the
queries
we
made
because
yeah
we
don't
want
to
be
blocking
like
six
thousands
yeah,
six
thousand
of
repositories
at
once,
so
be
very
careful
about
that
about
performance,
not
that
much
right
now
we
are
using
the
lg
tm
server.
D
We
didn't
have
much
problems
with
performance,
maybe
another
problems,
but
not
with
performance
and
nowadays
we're
trying
the
advanced
security
that
it's
on
github
and
we
have
to
figure
out
some
things
on
that.
But
what
I
think
the
most
important
thing
to
say
about
this,
this
question,
let
me
think
yeah
is
also
what
valeria
said
before
manny
just
said.
Everything
that
I
want
to
say
is
these
things
about.
We
have
to
do
a
lot
of
tests
and
a
lot
of
examples
about
these
queries
and
all
these
coding
examples.
D
But
mercury
is
really
big,
so
everything
is
changing
us
in
the
technology
world.
Of
course,
but
everything
is
everything
is
changing
and
you
have
like
a
million
ways
to
do
anything,
so
sometimes
we
are
behind
with
validators
with
sanitizers
and
cigars.
Sometimes
we
are
behind
even
with
new
libraries
that
could
be
seeing
for
our
queries,
so
we
got
new,
false
negatives
that
we
didn't
know
before.
So
I
think
that
it's
the
most
like
challenging
about
this
big
company,
michael
oliver.
I
don't
know
if
that
answered
the
question,
but
it's
what
I
thought.
Sorry.
E
Yeah,
I
have
something
as
well
and
not
related
to
performance
but
yeah
to
the
scale.
Since
we
have
so
many
repositories
and
so
many
developers,
we
get
a
lot
of
false
positive
reports
that
we
have
to
keep
up
and
we
review
them
once
every
two
weeks
and
it's
not
enough.
E
C
Yeah,
thank
you
so
much.
I
think
that
definitely
covers
the
question.
So
in
a
big
thanks
to
santiago
rodriguez
for
asking
the
question,
I
appreciate
it.
It's
a
tough
one
and
then
I
I
really
appreciate
all
of
you
being
here
today.
I
mean
I
feel,
like
I
learned
a
lot
about
the
process
of
a
team
such
as
yours.
I
am
super
impressed.
The
marketplace
is
so
huge,
132
million
folks.
C
So
for
those
of
you
who
are
watching
and
think
that
maybe
wow
yeah,
if
I
break
something
you
know
my
team
is
gonna
really
shout
at
me
or
something
I
mean,
imagine
having
132
million
users
and
able
to
to
use
your
platform
so
wow
wow.
So
thank
you.
Thank
you.
So
much
for
sharing
that
joseph.
I
don't
know
if
you
have
anything
to
add
when
it
comes
about
scale,
maybe
we
can
add
that
and
while
we
take
a
look,
I
think
there's
there
might
be
another
question
coming
in.
B
The
scale
is
impressive:
like
andra
said,
132
million
users
have
an
attack
surface.
That
is
huge.
Not
so
many
companies
in
the
world
have
to
process
so
much
data
and,
at
the
same
time,
have
a
production
that
can
support
real-time
cyber
security
at
this
scale.
B
So
a
sas
team
that
is
working
with
state-of-the-art
tools
like
yourselves,
have
to
have
another
challenge
as
well,
which
is
not
just
only
to
keep
up
with
the
latest
trends
of
cyber
security
every
day,
but
also
to
adapt
your
tooling
to
match
these
trends
and
as
software
evolves
exponentially,
and
cyber
security
evolves
linearly.
You
have
to
everyday
close
that
gap.
So
for
me
this
is
very
impressive
and
I
really
want
to
know
even
more
on
top
of
what
I've
learned
today.
C
A
hundred
percent,
so
I
think
we
we
have
a
question
on
the
chat
and
maybe
if
we
can
get
to
the
questions
you
know
for
sure,
maybe
we
can
try
and
touch
on
the
notes
after
but
joseph,
if
you
don't
mind,
taking
a
look
and
see,
if
maybe
that's
the
question
that
you
might
answer
yeah
and
the
meanwhile
again,
I'm
super
excited
that
all
of
you
joined
us
today.
For
those
of
you
watching
this
fantastic
team
is
on
linkedin,
so
find
them
adam.
C
I
think
once
we
publish
this
video,
we'll
add
their
direct
urls
into
the
notes
so
that
you
can
learn
from
them
follow
them
because
they
have
definitely
a
lot
to
teach
us.
What.
B
Do
you
think
you're
saying
thank
you
from
ankit
thanks
so
much
for
asking
ankit?
The
question
is:
does
code12
help
identify
causes
of
most
common
zero-day
attacks
identified
in
past
and
possibly
and
possibilities
to
removing
them
before
they
could
happen?.
G
D
No,
not
not
for
new
ones,
but
maybe
for
we
have
some
other
two
for
open
source
libraries
or
open
source
code
where
we
kind
of
try
to
respond
the
most
quickly
we
can
to
surveys
and
serve
these
attacks.
I
don't
know
if
any
of
the
girls
want
to
add
up
something.
B
It
definitely
answers
the
question,
and
I
want
to
add,
on
top
of
that,
aren't
you
that,
of
course,
the
nature
of
zero
day
vulnerabilities
is
that
they
are
problems
that
are
seen
for
the
very
first
time,
like
our
amazing
team
here
said
before,
they
are
also
looking
for
variant
of
those
zero-day
vulnerabilities,
which
is
something
that
cultural
can
definitely
help
with
like,
for
example,
it
can
be
a
new
zero
day,
something
that
we
haven't
found
before,
but
it's
very
similar
to
a
previous
run
and
code.
B
Ql
can
definitely
pick
this
up
before
becoming
a
new
problem
in
a
range
of
databases.
C
Absolutely
thank
you
so
much.
Thank
you
both
for
adding
that.
I
think
that
that
definitely
answered
the
question.
Are
we
done?
Is
it
over
and
away?
We,
I
think,
we're
coming
to
the
end
of
our
time.
So
joseph,
would
you
just
give
us
a
brief
overview
of
what
we
learned
today
and
yeah.
Thank
you
like
this
has
been
we've.
B
Learned
so
much
absolutely
helpful
and
we
can
make
a
little
summary
of
what
we've
learned
so
today,
throughout
this
through
this
very
informative
session,
with
the
sas
team
of
mercado
libre,
we
learn
how
they
leverage
the
power
of
code2l
towards
secure
software
for
those
joining
our
conversation.
Late
codeql
has
two
main
goals.
First,
is
to
explore
code
towards
finding
vulnerabilities
using
queries
and,
second,
to
make
these
queries.
C
Yes,
thank
you
so
much.
I
just
want
to
take
another
moment
to
thank
each
and
every
one
of
you
camilla,
natalia
valeria,
lucia.
It's
been
an
absolute
pleasure
to
learn
from
you
today.
Thank
you
so
much
for
everything
you
do
in
the
open
source
ecosystem
as
well,
and
always
looking
to
see
how
you
can
contribute
back.
C
That's
super
inspirational
and
then,
of
course,
I
have
to
share
the
melody
team
is
amazing.
Their
engineering
team
is
amazing
and
they
have
a
wonderful
blog
that
all
of
you
can
access
right.
Now,
it's
free,
it's
gonna,
be
on
medium
and
there
is
a
ton
of
information
there
beyond
security,
so
you
can
learn
about
how
they
leverage
our
technologies
to
run
this
very,
very
impressive
platform
and
keeping
their
users
available
and
ready
to
you
know,
hey
buy
or
do
all
the
things
that
they
do
on
the
platform.
C
So
again,
thank
you
so
very
much
to
the
melee
team.
It's
been
an
absolute
pleasure
and
an
honor
to
have
you
with
us
today,
folks
who
are
watching,
don't
forget
to
follow
them
on
linkedin,
so
you
can
stay
in
the
loop
of
their
amazing
work
and
you
can
also
follow
joseph
joseph
I'll
give
out
your
handles
at
some
point,
but
thank
you
so
much
team.
Really
it's
been.
It's
been
an
absolute
delight.
We
appreciate
you
being
here
with
us
today.
C
C
Thank
you.
Thank
you,
mali.
Thank
you,
mellie
team.
Thank
you
so
much.
We
need
to
have
you
again.
I
love
this.
So
thank
you
all
so
much
and
thank
you.
Everyone
watching
at
home
and
we'll
see
you
next
time.
I
want
to
say
the
next
demolish
is
going
to
be
next
year.
What
maybe
not
aj
correct
me
if
I'm
wrong
2022
here
we
come
so
thanks
again.
Everyone
thank
you
for
joining.
Thank
you,
joseph
you're,
a
fabulous
co-host.
Thank.