Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Openai key leakages #12473

Closed
wants to merge 4 commits into from
Closed

Openai key leakages #12473

wants to merge 4 commits into from

Conversation

alex4321
Copy link

Description:

By default - ChatOpenAI implementation and OpenAIEmbeddings implementations do not hide openai_api_key from repr implementation.

Which may lead to key leakages. Like I were working on some project with Jupyter Notebook, I am used to show intermediate stages - and I am far from being cautious. So I made something like:

key = _read_key_from_some_gitignored_env_file()
input = ChatPromptTemplate.from_messages([SystemMessagePromptTemplate.from_template("Foobar")])
chat = ChatOpenAI(openai_api_key=key)
chain = input | chat
chain

or, for instance (you can run this code in python interactive session):

from langchain.chat_models import ChatOpenAI
ChatOpenAI(openai_api_key="sk-TEST")

you can see this output

ChatOpenAI(client=<class 'openai.api_resources.chat_completion.ChatCompletion'>, openai_api_key='sk-TEST', openai_api_base='', openai_organization='', openai_proxy='')

And since I were used to show intermediate stages I have shown what chain is without noticing it contains key.

Fortunately, OpenAI monitor key leakages on their side, but they can only do it on public resources, like public github repositorys.

This PR:

  • add tests regards this matter
  • fix OpenAIEmbeddings::__repr_args__ and ChatOpenAI::__repr_args__ in such a way so repr(someobject) do not contains openai_api_key anymore:
from langchain.chat_models import ChatOpenAI
ChatOpenAI(openai_api_key="sk-TEST")
ChatOpenAI(client=<class 'openai.api_resources.chat_completion.ChatCompletion'>, openai_api_base='', openai_organization='', openai_proxy='')

No openai_api_key="sk-TEST" anymore

  • Dependencies:

No additional dependencies

@vercel
Copy link

vercel bot commented Oct 28, 2023
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment
Name Status Preview Comments Updated (UTC)
langchain ⬜️ Ignored (Inspect) Visit Preview Oct 28, 2023 4:34am

@dosubot dosubot bot added Ɑ: models Related to LLMs or chat model modules 🤖:bug Related to a bug, vulnerability, unexpected error with an existing feature labels Oct 28, 2023
@eyurtsev
Copy link
Collaborator

hi @alex4321 thanks for the contribution. Could you take a look at this issue and follow the guidelines there for making the change: #12165

eyurtsev
eyurtsev requested changes Oct 29, 2023
View reviewed changes
Copy link
Collaborator

@eyurtsev eyurtsev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @alex4321 👋 -- take a look here: #12473

@eyurtsev eyurtsev self-requested a review October 29, 2023 02:29
@hwchase17 hwchase17 closed this Jan 30, 2024
@baskaryan baskaryan reopened this Jan 30, 2024
@sepiatone sepiatone mentioned this pull request Apr 28, 2024
Merged
baskaryan pushed a commit that referenced this pull request May 1, 2024
@sepiatone
openai[patch]: add tests for secret_str for keys (#20982)
12b1caf 
**Description:** Add tests to check API keys and Active Directory tokens
are masked
**Issue:** Resolves #12165 for OpenAI and Azure OpenAI models
**Dependencies:** None

Also resolves #12473 which may be closed.

Additional contributors @alex4321 (#12473) and @onesolpark (#12542)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eyurtsev eyurtsev Awaiting requested review from eyurtsev

Assignees
No one assigned
Labels
🤖:bug Related to a bug, vulnerability, unexpected error with an existing feature Ɑ: models Related to LLMs or chat model modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@alex4321 @eyurtsev @hwchase17 @baskaryan