New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
serious security bug - auto completion reveals password #21476
Comments
/cc @daxian-dbw |
As far as I can tell ssh-add is not a PowerShell command and is a simple command line exe
How does PowerShell know your password if you did not previously enter it on the command line? Was the password previously entered with a hidden entry method or in the clear? For example if I do the same on Linux
Bash on Linux will happily add anything entered on the command line in the history. |
no Linux bash will never auto complete passphrase
|
Did you previously enter the password in plain text on the command line or as part of a hidden data entry? If you only entered the password as part of a hidden data entry, where bullets or asterisks replace the characters, then there is a problem. If you had previously entered it in plain text on the command line and PowerShell is merely completing a previously entered command then there is not a problem.
|
AFAICT, But this makes me wonder if the autocompletion is being done by the terminal, rather than by PowerShell. |
Alternatively the OP mistakenly typed it on the command line and it ended up in the history. |
I suggest implementing a history handler in your $PROFILE like the example here https://learn.microsoft.com/en-us/powershell/module/psreadline/set-psreadlineoption?view=powershell-7.4#example-7-use-historyhandler-to-filter-commands-added-to-history. You can filter to exclude anything with @daxian-dbw perhaps we need to add
|
@melspectrum It looks to me what you observed was the prediction from history. You ran
In the instance of I don't think we should do that filtering in PSReadLine by default. You can follow the example that @StevenBucher98 pointed out above to filter out any command line that starts with |
I should also add that disabling the prediction source to none does not mean the history is not saved to the ConsoleHost_history.txt (get file location by runnung Get-PSReadLineOptions). Turning predictions off just means you will not see it in your interactive shell. If you want to ensure no keys from the |
This issue has been marked as by-design and has not had any activity for 1 day. It has been closed for housekeeping purposes. |
📣 Hey @melspectrum, how did we do? We would love to hear your feedback with the link below! 🗣️ 🔗 https://aka.ms/PSRepoFeedback |
Prerequisites
Steps to reproduce
For example, when entering
ssh-add my-personal-private-key
, the auto-completion showsssh-add my-personal-private-key [my passphrase]
in plain textExpected behavior
do not auto-complete password input
Actual behavior
shows password in plain text
Error details
No response
Environment data
Visuals
No response
The text was updated successfully, but these errors were encountered: