zlacker

[return to "GitHub Copilot available for JetBrains and Neovim"]
1. pugets+Nr[view] [source] 2021-10-27 19:49:33
>>orph+(OP)
Copilot is crazy. The other day, I was writing a Python function that would call a Wikipedia API. I pulled from the internet an example of a GET request, and pasted it as a comment in my code.

  # sample call: https://en.wikipedia.org/w/api.php?action=query&format=json&list=geosearch&gscoord=37.7891838%7C-122.4033522&gsradius=10000&gslimit=100
Then I defined a variable,

  base_url = "https://en.wikipedia.org/w/api.php?"
Then, like magic, Copilot suggested all the remaining keys that would go in the query params. It even knew which params were to be kept as-is, and which ones would come from my previous code:

  action = "query"  # action=query
  format = "json"  # or xml
  lat = str(latitude.value)  # 37.7891838
  lon = str(longitude.value)  # -122.4033522
  gscoord = lat + "%7C" + lon
  ...
  api_path = base_url + "action=" + action + "&format=" + format + ... + "&gscoord=" + gscoord
As a guy who gets easily distracted while programming, Copilot saves me a lot of time and keeps me engaged with my work. I can only imagine what it'll look like 10 years from now.
◧◩
2. lucide+cc1[view] [source] 2021-10-28 01:05:25
>>pugets+Nr
This comment is accidentally the perfect example of why copilot is a horrific idea.

The old "just copy-paste from Stack Overflow" approach to development is satirised and ridiculed these days (despite being still in common practice I'm certain), because as we all know so well by now, an accepted answer on SO does not always equate to a correct answer. Yes, the SO guys & community do do their best to improve answer quality iteratively (wiki answers, etc.), but there's still a lot of bad answers, and even many of the "good" ones become outdated or don't keep up with modern best-practice (especially when it comes to security).

Omitting urlencoding isn't the biggest crime, but it is a pretty standard URL-building step, and the fact that a tool released this year is spitting out code that omits something so simple is fairly damning. It's also a micro-example of much larger errors Copilot will surely be responsible for. Missing url encoding can be an injection vector in many applications, even if it's not the most common risk, but miss encoding in other string-building ops and you've made your way into the OWASP Top 10.

The big difference between copilot and SO is there's no community engaging in an open & transparent iterative process to improve the quality of answers.

◧◩◪
3. omegal+Dk1[view] [source] 2021-10-28 02:26:49
>>lucide+cc1
+1. URL encoding is also very relevant on the backend and has security implications, e.g., you want to be sure you are protecting against double encoded URLs. If you elide details like URL encoding using copilot that's dangerous.
[go to top]