-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
And it was exacerbated by another bug which was causing the absence of a period to be ignored, so any username ending in a recognized filetype was blocked (e.g. "AsiMOV" in the example, or "MaasTIFF" in the comments).
I initially suspected that a regex was involved and someone forgot to escape the period, but it looks like that wasn't even the case -- the erroneous code was literally checking if the username ended in any recognized extension.
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/65954/...
TL;DR for those wondering:
- There was a yet-undisclosed security vulnerability in Gitlab usernames
- Staff member made a change to disallow usernames ending with `Mime::EXTENSION_LOOKUP.keys`, which I assume is a set of valid extensions (https://gitlab.com/gitlab-org/security/gitlab/-/merge_reques...)
- This was overly broad since it caught a lot of common names (like "asimov") (https://gitlab.com/gitlab-org/gitlab/-/issues/335278)
- The check was fixed to additionally look for a "." before the extension as well (https://gitlab.com/gitlab-org/gitlab/-/merge_requests/65954)