►
From YouTube: Security Patch Process Walk Through
Description
Source Code Deep Dives - 2023 https://gitlab.com/gitlab-com/create-stage/source-code-be/-/issues/129
A
A
It's
not
a
particularly
in-depth
one,
but
somebody
worked
on
this
before
who
was
it?
A
The
thing
is
anyone
on
the
court
might
have
been
City
maybe
works
on
something
before,
but
basically,
we've
got
lots
of
places
in
the
application
where
we
look
for
users
based
on
user,
find
by
any
email
which
finds
I
mean
it
will
shock
everyone
to
to
learn
that
it
finds
users
by
any
email
which
includes
private
emails,
which
means
that
in
various
places
in
the
application,
you
could
look
up
users
based
on
their
private
email
address,
which
could
be
a
personal
info
leak.
A
So
in
this
case
someone
there
was
a
previous
instance
of
this
where
they
fixed
it.
It's
the
few
releases
back
so
like
is
that
sometime
last
year,
but
they
found
out
that
you
can
do
it
again
by
using
commit
trailers.
So,
when
you're
doing
your
commit
message,
you
could
mention
a
user
by
email,
gets
picked
up
in
band's
eye
and
tries
to
find
the
user
on
git
lab,
so
it
does
like
the
little
hover
over
name.
A
Avatar
shows
the
user,
so
initially
I
just
went
and
fixed
that,
but
we
also
found
that
you
can
look
them
up
it
also.
It
looks
up
avatars
by
the
same
thing,
so
you
then
get
a
user's
private
Avatar
and
you
could
still
figure
out
where
their
profile
was,
if
that
makes
sense,
so
I've
changed
it
to.
Thankfully,
this
security
issue
was
actually
concise,
which
is
the
first
one
I've
had
in
months
where
it's
like
less
than
4
000
words
long.
A
A
Basically
I
just
I've
changed
these
usages,
so
it
was
in
this
one
in
the
band's
eye,
commit
trailers,
filter
file
and
all
I've
really
changed.
So
this
is,
whereas
picking
up
link
to.
A
There's
been
a
lot
of
method
change
in
this
area
for
quite
a
while
I
initially
did
a
merge
request
that
used
the
method
that
doesn't
exist,
which
was
a
weird
one
for
me,
because
when
I
looked
at
the
history
of
the
file,
there
was
like
a
better
method
for
this
which
no
longer
exists,
but
I
used
it
and
it's
since
gone
since
these
changes
were
made
and
since
the
security
fix
was
put
in
last
year
for
the
initial
version
of
this.
C
A
New
code
into
the
into
the
things
just
using
the
existing
method
in
that
regard,
and
that's
effectively
all
this
fixes,
it's
just
changing
it
to
that,
and
so
it
means
that
people
can't
be
looked
up,
in
particular
by
their
commit
email,
which
is
often
private,
and
they
can
only
be
looked
at
by
their
public
email
address
if
they've
set
it
bigger.
A
Part
of
this
is
mostly
adding
support
into
the
tests,
but
particularly
around
avatars,
so
the,
where
is
he
Rohit
noticed
that
my
initial
fix
was
still
finding
their
Avatar,
even
though
it
was
just
linking
to
their
email
address.
A
Luckily,
I
actually
do
know
something
about
the
Avatar
system,
because
the
exact
point
at
which
this
change
is
implemented
is
the
same
place
where
I
implemented
caching
for
Avatar
lookups
in
the
past
and
somewhere
in
here.
Where
is
it.
A
There
we
go
so.
A
Swapped
over
to
just
not
doing
that
because
in
theory
it
was
a
little
bit
weird
for
me
to
still
just
look
people
up
by
like
their
gravitas,
but
that's
technically
a
totally
public
service.
So
if
they
have
a
gravatar
for
their
like
private,
commit
email,
I
think
that's
totally
fine
and
so
just
looks
up.
A
It
basically
defaults
back
to
what
it
would
be
doing
if
there
wasn't
a
user
found
for
it,
and
the
edit
bonus
is
that
this
probably
is
a
speed
Improvement
as
well,
because
we
do
a
lot
of
this
all
over
the
site
where
we
look
users
up
by
email,
address
and
in
certain
places
like
the
like.
The
network
graph
is
actually
hugely
inefficient,
where
we're
passing
like
a
thousand
email
addresses
and
looking
up
an
avatar
for
all
1000
people
and
it's
happening
individually
because
of
how
it
works.
A
So
there's
actually
quite
a
few
places
where
it
can
be
quite
slow.
So
any
speed
improvements
in
this
area,
like
limiting
how
many
avatars
get
rendered
and
stuff
actually
helps,
so
it
might
have
a
side
effect
in
other
parts
of
the
application
like
we
might
see
fewer
avatars
from
the
gitlab
thing
popping
up
in
places,
but
if
it's
valid
in
one
place
it's
kind
of
valid
everywhere
else,
they
should
only
be
looking
up
people's
avatars
by
email
address
with
a
public
email
address.
A
If
they've
supplied
the
user,
it's
fine
because
you
can,
where
is
it
the
actual
call
to
get
the
avatar?
B
No
sorry
there
it
is
the
the
code
we
find
well
one
the
line
that
you
change
to
public
yeah
I,
think
it
is
it.
Oh,
no
sorry,
that's
an
eve.
Okay,.
A
This
is
essentially
how
it
works
elsewhere.
There
is
a
way
of
calling
Avatar
I
confuse
and
you
pass
it
a
user,
but
there's
actually
there's
there's
another
variant
of
I
know
there
is
yeah.
Here
you
go
so
when
you're
calling
user
Avatar
you
can
either
Supply
a
user
or
you
can
supply
an
email
and
it
will
look
it
up
differently.
So
if
we
already
have
a
user
found
in
somewhere
so
like
in
the
application
itself,
it
will
still
work
as
normal,
but.
C
A
Only
look
up
public
email
addresses,
but
yeah
it's
effectively
an
extremely
boring
fix
with
the
just
refresh
that
so
all
the
extra
lines
go
away
yeah
effectively.
The
fix
is
that
and
all
the
rest
of
the
spec
fixes
to
make
it
work
it's
another.
A
Quite
quite
boring
security
fix,
but
there
might
be
more
of
these
because
we
do
seem
to
call
find
by
an
email
quite
a
lot
in
the
application
and
we
probably
shouldn't
so
that
might
be
something
that
we
have
to
create
a
new
issue
about,
but
yeah
effectively.
That's
it.
It's
both
of
my
security
issues.
This
month
were
effectively
one
line
changes,
but
it
did
break
quite
a
lot
of
specs
this
one.
So
it's
not
too
bad
to
actually
have
finished
it
in
the
end.
A
C
You
go
yeah.
Actually.
My
question
is
about
as
far
as
I
remember
at
first
this
issue
was
severity
for
and
now
I
see
it's
32
we're
just
curious.
If
you
remember
what
was
the
trigger
of
bumping
the
severity
I.
A
Don't
actually
know
yeah
you're
right,
it
was
34.
C
A
A
Here
and
yeah
I
can't
speed,
read
that
to
find
exactly
areas
but
yeah
I
think
as
far
as
like
the
actual
issue
goes
itself.
I
actually
don't
know
what
the
original
one
was.
Oh
that's
just
the
release
post.
That's
that's
not
got
a
huge
amount
of
useful
info
in
it.
I
don't
know
if
the
CV
mentions.
C
B
So,
just
if
I
say,
if
I
understand
correctly,
so
basically,
how
is
the
user
providing
the
the
private
email.
A
Yeah,
so
basically,
when
you
do
a
here's,
the
good
example,
but
basically-
but
someone
can
like
mention
somebody
else
by
email
address
in
on
the
commute
in
the
commit
yeah
because
they
resolved
it
in
a
few
other
places
like
I.
Think
in
then
issues
or
murder
quests
or
something.
But
we
might
need
to
check
that
but
yeah
in
the
commit
message.
You
could
do
that
because
it
goes
through
Banzai.
B
A
It
I
would
personally
say
the
attack
Vector,
for
this
is
not
the
most
I,
don't
think
it's
the
biggest
problem
in
the
world,
but
the
I
think
the
the
general
sort
of
gist
is
that
you
could
mention.
Somebody
like
you
wanted
to
check
that
you've
got
their
validity
like
private
email
address,
or
something
like
that,
and
you
can
verify
it.
There
is
their
email.
C
B
Yeah,
I
guess
I
guess:
I'll,
probably
change
the
message
because
I
the
if
you
have
access
to
the
commit
logs
right,
which,
if
you
have
access
to
the
repo,
basically
you
have
the
commit
logs
and
then
has
all
the
email
addresses
in
there.
Oh
so
using
that
email
addressing
you
can
try
and
identify
who
the
person
is,
is
that
the
attack
yeah.
A
So
what
would
be
a
good
example
of
it?
Like
a
you
know
how,
like
people,
steal
credit
card
info,
they
do
like
a
small
transaction
to
test
that
the
card
actually
works.
You
can
kind
of
use
the
platform
to
do
that.
To
valid
I
mean
it'd,
be
a
bit
of
a
fact,
but
you
can
basically
validate
that
you
have
the
private
email
address
for
someone
that
might
not
be
like
publicly
obvious,
so
you
could
use
it
to
docs
people
effectively
eventually.
B
A
Yeah
so
I
think
there's
potential
for
it,
but
it's
very
much
more
at
gitlab.com
problem,
I
think
than
a
private
one
and
yeah,
potentially
even
less
so
in
there
again,
but
well,
I
suppose
actually
on
on
gearlab.com,
because
we
have
a
lot
of
people
who
probably
have
old
accounts
and
everything
who
just
don't
use
anymore
like
open
source
people
Etc
there
is
a
potential
of
looking
people
up
by
quite
old
email
addresses
that
there
may
be
I
thought
they
left
behind,
and
things
like
that.
A
So
yeah,
it's
a
bit
of
a
an
odd
one.
I
think
it
is.
It
is
an
exploit,
but
there
might
be
more
of
these,
so
this
is
just
the
most
recent
one.
Maybe
we
do
need
to
proactively
go
and
search
the
code
base
for
use
of
this
method
to
see
if
there
are
any
other
ways.
The
fact
that
I've
done
this
change
in
one
part
of
Banzai
is
interesting,
but
it's
only
the
commit
trailers
part.
A
So
this
is
just
the
commit
trailers
filter,
but
there
in
theory,
should
be
other
parts
of
band's
eye
that
do
the
same
thing.
So
maybe
because
that's
just
commit
trailers.
I
mean
in
theory,
it
could
happen
in
commit
messages
too
yeah.
That
might
be
all
the
old
fixes
could
happen
in
what
else
do
we
put
through
bands,
like
maybe
diffs
like
that'd,
be
kind
of
interesting?
A
Don't
think
that
would
happen,
but
it's
a
possibility.
I.
B
A
A
Generated
thing:
if
it
can't
find
anybody
so
yeah
it
sort
of
fails
through
that
way.
I
think
it's
going
to
result
in
a
lot
fewer
avatars
being
seen
in
yeah
a
bit.
A
Yeah,
it's
yeah
breaking
change,
to
be
honest,
which
I
don't
think
I've
done
yet
so
I
might
put
it
in
as
a
UI
breaking
change
but
yeah
effectively.
If
people
want
their
avatars
to
shop
in
the
specific
situation
where
it's
looked
up
by
email
address,.
A
Yeah
I
think
if
I
stick
it
in
the
breaking
changes
in
the
security
issue,
it
should
go
in
the
release
post
for
it,
which
should
be
enough,
I
think
yeah,
basically
it
it
will
only
affect
it
if
it's
in
an
area
where
they're
looked
up
by
email,
which,
from
my
experience
is
a
few
really
specific
areas
so
commits
and
anything
that
passes
data
from
a
commit
to
to
that
sort
of
stuff
and
things
like
the
network
graph,
which
does
it
oh
yeah,
I,
think
there's
somewhere
else,
but
basically
a
few
of
the
really
old
endpoints
we've
got
a
lot
of
new
stuff.
A
B
A
Lot
of
lookups
by
email
address
for
various
other
info
tied
to
commits
and
things,
and
that's
where
it
might
look
a
bit
different,
so
it
shouldn't
have
a
huge
effect.
It's
like
it's
not
going
to
break
avatars
for
the
whole
site.
Yep
yeah,
that's
yeah!
You
might
see
a
few
more
isometric
thingies,
geometric
geometric.