#GitHubCoPilot 🤖 – Is CoPilot sharing security credentials ? Let’s take a look. Spoiler: NO

Hi !

One of the most common questions that I see around CoPilot, is related to sensitive information, like keys, database connection strings, etc. So, I decided to make a couple of tests and show that CoPilot is not sharing sensitive information from public data sources.

Let’s start with a simple book class, and the request to CoPilot to save a Book to a SQL database.

copilot save to sql server db

This is the generated code:

# save a book to a sql server database
def save(book):
    import pymysql
    conn = pymysql.connect(host='localhost',user='root',password='',db='book_db')
    cur = conn.cursor()
    sql = 'insert into book(title,author,price,isbn) values(%s,%s,%s,%s)'

And we can see the use a set of credentials, when the connection is open. So, this brings the question: are those credentials copied from a public repo? I did a quick search of that line on GitHub, and I got zero results back, and it makes sense.

copilot search from db credentials in github no results

CoPilot generated specific code to connect to a db named “book_db”, which is my current work context. This is an example on how:

CoPilot is not doing a search, then copy and paste; CoPilot is generating code using the AI trained mode.

Let me share other CoPilot suggested solutions.

In this one, using a ODBC Connection String mode to connect to the database.

# save a book to a azure sql server database
def save_book_to_azure_sql(book):
    import pyodbc
    server = 'server'
    database = 'database'
    username = 'username'
    password = 'password'
    cnxn = pyodbc.connect('DRIVER={ODBC Driver 17 for SQL Server};SERVER='+server+';DATABASE='+database+';UID='+username+';PWD='+ password)
    cursor = cnxn.cursor()
    cursor.execute("insert into books(title,author,price,isbn) values (?,?,?,?)", (book.title,book.author,book.price,book.isbn))

This one creates the table for books 1st.

def save_book(book):
    db_filename = 'booklist.db'
    import sqlite3
    conn = sqlite3.connect(db_filename)
    c = conn.cursor()
    c.execute('''CREATE TABLE IF NOT EXISTS booklist(
    title TEXT,
    author TEXT,
    price INT,
    isbn INT)
    c.execute("INSERT INTO booklist VALUES(?,?,?,?)",(book.title,book.author,book.price,book.isbn))

But I see some very specific credential information in the suggested code!

Yes, I’ll continue analyzing some of the proposed solutions and, I finally find one with some more specific credentials. In the next example, it seems that the server name [DESKTOP-5PQFQ2G\SQLEXPRESS] is a very specific Windows machine.

def save_to_azure_sql_server(book):
    import pyodbc
    database = 'book_library'
    username = 'sa'
    password = '1234'
    driver= '{ODBC Driver 17 for SQL Server}'
    cnxn = pyodbc.connect('DRIVER='+driver+';SERVER='+server+';PORT=1433;DATABASE='+database+';UID='+username+';PWD='+ password)
    cursor = cnxn.cursor()
    sql = "INSERT INTO books(title,author,price,isbn) VALUES(?,?,?,?)"

It may also exists, so let’s search in GitHub for that machine name. No surprises here, it’s a CoPilot generated name.

copilot search from windows machine name in github returns no results

Even Google return no results for that Windows Machine Name.


Simple close to this post: CoPilot does not perform a Search > Copy > Paste.

Happy coding!


El Bruno

More posts in my blog ElBruno.com.

More info in https://beacons.ai/elbruno

¿Con ganas de ponerte al día?

En Lemoncode te ofrecemos formación online impartida por profesionales que se baten el cobre en consultoría:

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: