fix(cli): suppress terminal echo for interactive secret prompts#45
Merged
Conversation
`vault login` / `vault unlock` echoed the master password in clear text as it was typed (visible on screen and in scrollback); the PIN, the add/edit login password, the card number/CVV, and the identity SSN/passport/license prompts shared the same flaw. Add a `NoEcho` RAII guard over `rustix::termios` that clears terminal ECHO for the duration of every interactive secret read and restores the prior attributes on drop (including on early return / panic). rustix was already in the tree transitively via `secmem-proc`, so no new crate is added and the crate keeps `#![forbid(unsafe_code)]`. Interactive entry now also submits on Enter — the master-password path previously read until EOF, so a typed password sat until Ctrl-D. Piped / redirected input is unchanged (`pass show | vault login` still reads the whole stream); non-secret prompts (the register server picker, account email, the ephemeral authenticator code) still echo by design. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Remote memory-exhaustion (DoS) advisory in quinn-proto's out-of-order stream reassembly, published 2026-06-22. quinn-proto is a phantom Cargo.lock entry — an unenabled QUIC/HTTP3 path of reqwest; Vault speaks HTTP/2 only, so it never enters the build graph and the flaw is unreachable here — but cargo audit scans the lockfile literally, so pull the patched release to keep the supply-chain gate green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
vault login/vault unlockechoed the master password in clear text as it was typed — visible on screen and in scrollback. The same flaw affected every other interactive secret prompt: the PIN, theadd/editlogin password, the card number/CVV, and the identity SSN/passport/license. Separately, the master-password path read stdin until EOF, so a typed password sat at the cursor untilCtrl-Dinstead of submitting on Enter.Fix
NoEchoRAII guard overrustix::termiosthat clears terminalECHOfor the duration of every interactive secret read and restores the prior attributes on drop — including on early return / panic.rustixwas already in the dependency tree transitively (viasecmem-proc), so no new crate is added and the crate keeps#.pass show | vault loginstill reads the whole stream, preserving the "stdin consumed → 2FA from/dev/tty" design.Verification
Full
just ciset is green:fmt,clippy -D warnings(--all-features, all 9 crates),test --workspace --all-targets(75 passed, 0 failed),headless,version-gate,deny,audit,reuse.Verified live through a pseudo-terminal driving
vault login: the prompt appears, and the typed secret is absent from all terminal output.🤖 Generated with Claude Code