►
From YouTube: Security Patch Process Walk Through
Description
Source Code Deep Dives - 2023 https://gitlab.com/gitlab-com/create-stage/source-code-be/-/issues/129
A
A
So
in
this
case
someone
there
was
a
previous
instance
of
this
where
they
fixed
it.
It's
the
few
releases
back
so
like
is
that
sometime
last
year,
but
they
found
out
that
you
can
do
it
again
by
using
commit
trailers.
So,
when
you're
doing
your
commit
message,
you
could
mention
a
user
by
email,
gets
picked
up
in
band's
eye
and
tries
to
find
the
user
on
git
lab,
so
it
does
like
the
little
hover
over
name.
A
Avatar
shows
the
user,
so
initially
I
just
went
and
fixed
that,
but
we
also
found
that
you
can
look
them
up
it
also.
It
looks
up
avatars
by
the
same
thing,
so
you
then
get
a
user's
private
Avatar
and
you
could
still
figure
out
where
their
profile
was,
if
that
makes
sense,
so
I've
changed
it
to.
Thankfully,
this
security
issue
was
actually
concise,
which
is
the
first
one
I've
had
in
months
where
it's
like
less
than
4
000
words
long.
A
C
A
A
Swapped
over
to
just
not
doing
that
because
in
theory
it
was
a
little
bit
weird
for
me
to
still
just
look
people
up
by
like
their
gravitas,
but
that's
technically
a
totally
public
service.
So
if
they
have
a
gravatar
for
their
like
private,
commit
email,
I
think
that's
totally
fine
and
so
just
looks
up.
A
It
basically
defaults
back
to
what
it
would
be
doing
if
there
wasn't
a
user
found
for
it,
and
the
edit
bonus
is
that
this
probably
is
a
speed
Improvement
as
well,
because
we
do
a
lot
of
this
all
over
the
site
where
we
look
users
up
by
email,
address
and
in
certain
places
like
the
like.
The
network
graph
is
actually
hugely
inefficient,
where
we're
passing
like
a
thousand
email
addresses
and
looking
up
an
avatar
for
all
1000
people
and
it's
happening
individually
because
of
how
it
works.
A
So
there's
actually
quite
a
few
places
where
it
can
be
quite
slow.
So
any
speed
improvements
in
this
area,
like
limiting
how
many
avatars
get
rendered
and
stuff
actually
helps,
so
it
might
have
a
side
effect
in
other
parts
of
the
application
like
we
might
see
fewer
avatars
from
the
gitlab
thing
popping
up
in
places,
but
if
it's
valid
in
one
place
it's
kind
of
valid
everywhere
else,
they
should
only
be
looking
up
people's
avatars
by
email
address
with
a
public
email
address.
A
B
A
This
is
essentially
how
it
works
elsewhere.
There
is
a
way
of
calling
Avatar
I
confuse
and
you
pass
it
a
user,
but
there's
actually
there's
there's
another
variant
of
I
know
there
is
yeah.
Here
you
go
so
when
you're
calling
user
Avatar
you
can
either
Supply
a
user
or
you
can
supply
an
email
and
it
will
look
it
up
differently.
So
if
we
already
have
a
user
found
in
somewhere
so
like
in
the
application
itself,
it
will
still
work
as
normal,
but.
C
A
A
Quite
quite
boring
security
fix,
but
there
might
be
more
of
these
because
we
do
seem
to
call
find
by
an
email
quite
a
lot
in
the
application
and
we
probably
shouldn't
so
that
might
be
something
that
we
have
to
create
a
new
issue
about,
but
yeah
effectively.
That's
it.
It's
both
of
my
security
issues.
This
month
were
effectively
one
line
changes,
but
it
did
break
quite
a
lot
of
specs
this
one.
So
it's
not
too
bad
to
actually
have
finished
it
in
the
end.
A
C
C
A
C
A
Yeah,
so
basically,
when
you
do
a
here's,
the
good
example,
but
basically-
but
someone
can
like
mention
somebody
else
by
email
address
in
on
the
commute
in
the
commit
yeah
because
they
resolved
it
in
a
few
other
places
like
I.
Think
in
then
issues
or
murder
quests
or
something.
But
we
might
need
to
check
that
but
yeah
in
the
commit
message.
You
could
do
that
because
it
goes
through
Banzai.
B
A
It
I
would
personally
say
the
attack
Vector,
for
this
is
not
the
most
I,
don't
think
it's
the
biggest
problem
in
the
world,
but
the
I
think
the
the
general
sort
of
gist
is
that
you
could
mention.
Somebody
like
you
wanted
to
check
that
you've
got
their
validity
like
private
email
address,
or
something
like
that,
and
you
can
verify
it.
There
is
their
email.
C
B
Yeah,
I
guess
I
guess:
I'll,
probably
change
the
message
because
I
the
if
you
have
access
to
the
commit
logs
right,
which,
if
you
have
access
to
the
repo,
basically
you
have
the
commit
logs
and
then
has
all
the
email
addresses
in
there.
Oh
so
using
that
email
addressing
you
can
try
and
identify
who
the
person
is,
is
that
the
attack
yeah.
A
So
what
would
be
a
good
example
of
it?
Like
a
you
know
how,
like
people,
steal
credit
card
info,
they
do
like
a
small
transaction
to
test
that
the
card
actually
works.
You
can
kind
of
use
the
platform
to
do
that.
To
valid
I
mean
it'd,
be
a
bit
of
a
fact,
but
you
can
basically
validate
that
you
have
the
private
email
address
for
someone
that
might
not
be
like
publicly
obvious,
so
you
could
use
it
to
docs
people
effectively
eventually.
B
A
So
yeah,
it's
a
bit
of
a
an
odd
one.
I
think
it
is.
It
is
an
exploit,
but
there
might
be
more
of
these,
so
this
is
just
the
most
recent
one.
Maybe
we
do
need
to
proactively
go
and
search
the
code
base
for
use
of
this
method
to
see
if
there
are
any
other
ways.
The
fact
that
I've
done
this
change
in
one
part
of
Banzai
is
interesting,
but
it's
only
the
commit
trailers
part.
A
So
this
is
just
the
commit
trailers
filter,
but
there
in
theory,
should
be
other
parts
of
band's
eye
that
do
the
same
thing.
So
maybe
because
that's
just
commit
trailers.
I
mean
in
theory,
it
could
happen
in
commit
messages
too
yeah.
That
might
be
all
the
old
fixes
could
happen
in
what
else
do
we
put
through
bands,
like
maybe
diffs
like
that'd,
be
kind
of
interesting?
B
A
A
A
B
A
Lot
of
lookups
by
email
address
for
various
other
info
tied
to
commits
and
things,
and
that's
where
it
might
look
a
bit
different,
so
it
shouldn't
have
a
huge
effect.
It's
like
it's
not
going
to
break
avatars
for
the
whole
site.
Yep
yeah,
that's
yeah!
You
might
see
a
few
more
isometric
thingies,
geometric
geometric.