Hi !
One of the most common questions that I see around CoPilot, is related to sensitive information, like keys, database connection strings, etc. So, I decided to make a couple of tests and show that CoPilot is not sharing sensitive information from public data sources.
Let’s start with a simple book class, and the request to CoPilot to save a Book to a SQL database.
This is the generated code:
# save a book to a sql server database
def save(book):
import pymysql
conn = pymysql.connect(host='localhost',user='root',password='',db='book_db')
cur = conn.cursor()
sql = 'insert into book(title,author,price,isbn) values(%s,%s,%s,%s)'
cur.execute(sql,(book.title,book.author,book.price,book.isbn))
conn.commit()
conn.close()
And we can see the use a set of credentials, when the connection is open. So, this brings the question: are those credentials copied from a public repo? I did a quick search of that line on GitHub, and I got zero results back, and it makes sense.
CoPilot generated specific code to connect to a db named “book_db”, which is my current work context. This is an example on how:
CoPilot is not doing a search, then copy and paste; CoPilot is generating code using the AI trained mode.
Let me share other CoPilot suggested solutions.
In this one, using a ODBC Connection String mode to connect to the database.
# save a book to a azure sql server database
def save_book_to_azure_sql(book):
import pyodbc
server = 'server'
database = 'database'
username = 'username'
password = 'password'
cnxn = pyodbc.connect('DRIVER={ODBC Driver 17 for SQL Server};SERVER='+server+';DATABASE='+database+';UID='+username+';PWD='+ password)
cursor = cnxn.cursor()
cursor.execute("insert into books(title,author,price,isbn) values (?,?,?,?)", (book.title,book.author,book.price,book.isbn))
cnxn.commit()
cnxn.close()
This one creates the table for books 1st.
def save_book(book):
db_filename = 'booklist.db'
import sqlite3
conn = sqlite3.connect(db_filename)
c = conn.cursor()
c.execute('''CREATE TABLE IF NOT EXISTS booklist(
title TEXT,
author TEXT,
price INT,
isbn INT)
''')
c.execute("INSERT INTO booklist VALUES(?,?,?,?)",(book.title,book.author,book.price,book.isbn))
conn.commit()
conn.close()
But I see some very specific credential information in the suggested code!
Yes, I’ll continue analyzing some of the proposed solutions and, I finally find one with some more specific credentials. In the next example, it seems that the server name [DESKTOP-5PQFQ2G\SQLEXPRESS] is a very specific Windows machine.
def save_to_azure_sql_server(book):
import pyodbc
server = 'DESKTOP-5PQFQ2G\SQLEXPRESS'
database = 'book_library'
username = 'sa'
password = '1234'
driver= '{ODBC Driver 17 for SQL Server}'
cnxn = pyodbc.connect('DRIVER='+driver+';SERVER='+server+';PORT=1433;DATABASE='+database+';UID='+username+';PWD='+ password)
cursor = cnxn.cursor()
sql = "INSERT INTO books(title,author,price,isbn) VALUES(?,?,?,?)"
cursor.execute(sql,book.title,book.author,book.price,book.isbn)
cnxn.commit()
cnxn.close()
It may also exists, so let’s search in GitHub for that machine name. No surprises here, it’s a CoPilot generated name.
Even Google return no results for that Windows Machine Name.
Conclusion
Simple close to this post: CoPilot does not perform a Search > Copy > Paste.
Happy coding!
Greetings
El Bruno
More posts in my blog ElBruno.com.
More info in https://beacons.ai/elbruno
¿Con ganas de ponerte al día?
En Lemoncode te ofrecemos formación online impartida por profesionales que se baten el cobre en consultoría:
- Si tienes ganas de ponerte al día con Front End (ES6, Typescript, React, Angular, Vuejs…) te recomendamos nuestros Máster Front End: https://lemoncode.net/master-frontend#inicio-banner
- Si te quieres poner al día en Backend (stacks .net y nodejs), te aconsejamos nuestro Bootcamp Backend: https://lemoncode.net/bootcamp-backend#bootcamp-backend/banner
- Y si tienes ganas de meterte con Docker, Kubernetes, CI/CD…, tenemos nuestro Bootcamp Devops: https://lemoncode.net/bootcamp-devops#bootcamp-devops/inicio
El Bruno 