zlacker

[return to "GitHub Copilot available for JetBrains and Neovim"]
1. pugets+Nr[view] [source] 2021-10-27 19:49:33
>>orph+(OP)
Copilot is crazy. The other day, I was writing a Python function that would call a Wikipedia API. I pulled from the internet an example of a GET request, and pasted it as a comment in my code.

  # sample call: https://en.wikipedia.org/w/api.php?action=query&format=json&list=geosearch&gscoord=37.7891838%7C-122.4033522&gsradius=10000&gslimit=100
Then I defined a variable,

  base_url = "https://en.wikipedia.org/w/api.php?"
Then, like magic, Copilot suggested all the remaining keys that would go in the query params. It even knew which params were to be kept as-is, and which ones would come from my previous code:

  action = "query"  # action=query
  format = "json"  # or xml
  lat = str(latitude.value)  # 37.7891838
  lon = str(longitude.value)  # -122.4033522
  gscoord = lat + "%7C" + lon
  ...
  api_path = base_url + "action=" + action + "&format=" + format + ... + "&gscoord=" + gscoord
As a guy who gets easily distracted while programming, Copilot saves me a lot of time and keeps me engaged with my work. I can only imagine what it'll look like 10 years from now.
◧◩
2. c7DJTL+gy[view] [source] 2021-10-27 20:23:14
>>pugets+Nr
Bit of a dodgy way to form query parameters though. Other than for a quick script.
◧◩◪
3. sillys+qH[view] [source] 2021-10-27 21:11:51
>>c7DJTL+gy
Speaking as a former pentester, this is a fine way to form query params in this specific case, if lat and long are floats.

They're the only data you can control, and unless they're strings, it's useless for exploitation. Even denormal floats / INF / NAN won't help achieve an objective.

I broadly agree with you, but people are pummeling Copilot for writing code that I saw hundreds of times. Yes, sometimes I was able to exploit some of that code. But the details matter.

◧◩◪◨
4. boredt+zV[view] [source] 2021-10-27 22:59:12
>>sillys+qH
If the example code is everything that Copilot generated, there's no guarantee that lat or long are floats and that seems to be an implementation detail left to the user.

Isn't that a pretty big risk though? Specifically, that people will use co-pilot recommendations "as-is" and give little thought to the actual workings of the recommendation?

After all, if you have to intimately understand the code it's recommending are you really saving that much time over vetting a Googled solution yourself?

[go to top]