#GitHubCoPilot 🤖 – Is CoPilot sharing security credentials ? Let’s take a look. Spoiler: NO

Hi !

One of the most common questions that I see around CoPilot, is related to sensitive information, like keys, database connection strings, etc. So, I decided to make a couple of tests and show that CoPilot is not sharing sensitive information from public data sources.

Let’s start with a simple book class, and the request to CoPilot to save a Book to a SQL database.

copilot save to sql server db

This is the generated code:

# save a book to a sql server database
def save(book):
    import pymysql
    conn = pymysql.connect(host='localhost',user='root',password='',db='book_db')
    cur = conn.cursor()
    sql = 'insert into book(title,author,price,isbn) values(%s,%s,%s,%s)'

And we can see the use a set of credentials, when the connection is open. So, this brings the question: are those credentials copied from a public repo? I did a quick search of that line on GitHub, and I got zero results back, and it makes sense.

copilot search from db credentials in github no results

CoPilot generated specific code to connect to a db named “book_db”, which is my current work context. This is an example on how:

CoPilot is not doing a search, then copy and paste; CoPilot is generating code using the AI trained mode.

Let me share other CoPilot suggested solutions.

In this one, using a ODBC Connection String mode to connect to the database.

# save a book to a azure sql server database
def save_book_to_azure_sql(book):
    import pyodbc
    server = 'server'
    database = 'database'
    username = 'username'
    password = 'password'
    cnxn = pyodbc.connect('DRIVER={ODBC Driver 17 for SQL Server};SERVER='+server+';DATABASE='+database+';UID='+username+';PWD='+ password)
    cursor = cnxn.cursor()
    cursor.execute("insert into books(title,author,price,isbn) values (?,?,?,?)", (book.title,book.author,book.price,book.isbn))

This one creates the table for books 1st.

def save_book(book):
    db_filename = 'booklist.db'
    import sqlite3
    conn = sqlite3.connect(db_filename)
    c = conn.cursor()
    c.execute('''CREATE TABLE IF NOT EXISTS booklist(
    title TEXT,
    author TEXT,
    price INT,
    isbn INT)
    c.execute("INSERT INTO booklist VALUES(?,?,?,?)",(book.title,book.author,book.price,book.isbn))

But I see some very specific credential information in the suggested code!

Yes, I’ll continue analyzing some of the proposed solutions and, I finally find one with some more specific credentials. In the next example, it seems that the server name [DESKTOP-5PQFQ2G\SQLEXPRESS] is a very specific Windows machine.

def save_to_azure_sql_server(book):
    import pyodbc
    database = 'book_library'
    username = 'sa'
    password = '1234'
    driver= '{ODBC Driver 17 for SQL Server}'
    cnxn = pyodbc.connect('DRIVER='+driver+';SERVER='+server+';PORT=1433;DATABASE='+database+';UID='+username+';PWD='+ password)
    cursor = cnxn.cursor()
    sql = "INSERT INTO books(title,author,price,isbn) VALUES(?,?,?,?)"

It may also exists, so let’s search in GitHub for that machine name. No surprises here, it’s a CoPilot generated name.

copilot search from windows machine name in github returns no results

Even Google return no results for that Windows Machine Name.


Simple close to this post: CoPilot does not perform a Search > Copy > Paste.

Happy coding!


El Bruno

More posts in my blog ElBruno.com.

¿Con ganas de ponerte al día?

En Lemoncode te ofrecemos formación online impartida por profesionales que se baten el cobre en consultoría:

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: