Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API key leaked #8

Open
pat-alt opened this issue Mar 12, 2023 · 5 comments
Open

API key leaked #8

pat-alt opened this issue Mar 12, 2023 · 5 comments

Comments

@pat-alt
Copy link

pat-alt commented Mar 12, 2023

Hey hey 👋🏽

Cool package, I've just taken it for a quick tour working from within a public repo in VSCode.

This is perhaps related to #2, though that seems to have been addressed in #4. Anyway, I set the API key in the REPL and later pushed some changes (not involving the key) to remote. Immediately afterwards I received a notification from OpenAI that my key was leaked. I've searched the remote repo for the key, just to check that I haven't accidentally committed the key somehow, but found nothing.

Any idea what's going on here?

Thanks!

@rikhuijzer
Copy link

I've searched the remote repo for the key, just to check that I haven't accidentally committed the key somehow, but found nothing.

Have you done a GitHub Search in your GitHub account for the key? It must be somewhere because the leak detection is most likely triggered by GitHub. (Happened to me already one time too 😅.)

@ThatcherC
Copy link
Owner

I'm thinking the same thing - I've been using this project a fair amount and haven't had a key leak (yet?). Were you working in any non-default Julia environments? For me, the key ends up in ~/.julia/environments/v1.8/LocalPreferences.toml, but if you were in a different environment (maybe you ran pkg> activate <...>) the file would be saved to a LocalPreferences.toml file in a different directory. If that directory was checked into Github, it could be the source of the leak.

Just a wild guess! Keep us updated if you find out the cause! I'd love to fix it if it's an issue with this package.

@pat-alt
Copy link
Author

pat-alt commented Mar 16, 2023

Thanks both! Yeh I'm sure something must have gone wrong on my end. Will let you know once I've figured out what's caused this.

Thanks

@pat-alt
Copy link
Author

pat-alt commented Mar 17, 2023

I found the culprit. Seems like I committed the LocalPreferences.toml to GitHub. Should that not be automatically included in .gitignore? Have done something silly?

@ThatcherC
Copy link
Owner

Ah tricky! Glad you found it. Did you ever happen to run pkg> activate metaprogramming to start that metaprogramming directory you linked to? My understanding is that Preferences.jl will put that LocalPreferences file into whatever environment directory you're using, so if you never pkg> activate and then add ReplGPT, it'll go in somewhere like ~/.julia/environments/v1.8/LocalPreferences.toml, but if you do something like pkg> activate . it'll make a LocalPreferences.toml in whatever directory you happen to be in. If you then check that whole directory into git, you'll leak the LocalPreferences file.

I guess one solution here would be to add a LocalPreferences.toml to your .gitignore, but I wish there was a way for the ReplGPT package itself to protect the key from being included in git. However, as @rikhuijzer mentioned in #2, it is nice to keep the key as plaintext exactly so this kind of key detection can work - you wouldn't want the key to leak in a way that's undetectable but still exploitable. This is a tricky problem! Happy to keep iterating on it if any good ideas pop up!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants