Security Risk: Agent requests and logs sensitive credentials (SSH passphrases)

[rameshreddy-adutla]

Summary

The Copilot CLI agent can request sensitive credentials (passwords, passphrases) via the ask_user tool and then transmit them through write_bash, which logs them in the conversation history.

Steps to Reproduce

1. Run a git command that requires SSH passphrase authentication (e.g., git pull)
2. The command prompts for passphrase
3. Agent uses ask_user to request the passphrase from the user
4. Agent transmits the passphrase via write_bash
5. Passphrase is visible in the agent's output logs

Expected Behavior

• Agent should never request passwords, passphrases, or credentials
• Agent should detect when commands require sensitive input and instruct the user to run them manually
• Agent should refuse to handle credentials per its own security policy

Security Impact

• Credentials are exposed in conversation logs
• Credentials may be transmitted/stored by backend systems
• Violates the agent's stated security guidelines in the prohibited_actions section

Suggested Fix

• Add explicit safeguards in the agent's credential-handling logic
• Detect password/passphrase prompts and halt with user guidance instead of requesting input
• Add validation to prevent ask_user from requesting credential-type information
• Consider adding a warning when commands may require sensitive input

Context

This issue was discovered during a real usage scenario where git pull required SSH passphrase authentication.

[rameshreddy-adutla]

Detailed Technical Fix

Based on typical agent architecture patterns, here's a concrete implementation approach:

1. Add Credential Prompt Detection in Bash Tool

// In bash tool handler (e.g., tools/bash.ts)

const CREDENTIAL_PROMPTS = [
  /password:/i,
  /passphrase:/i,
  /enter passphrase for key/i,
  /\[sudo\] password/i,
  /username:/i,
  /token:/i,
  /secret:/i,
  /key password:/i,
  /authentication required/i
];

function detectsCredentialPrompt(output: string): boolean {
  return CREDENTIAL_PROMPTS.some(pattern => pattern.test(output));
}

// In the bash command execution handler:
async function executeBashCommand(command: string, shellId: string) {
  const process = startProcess(command, shellId);
  
  // Monitor output for credential prompts
  process.stdout.on('data', (data) => {
    const output = data.toString();
    
    if (detectsCredentialPrompt(output)) {
      process.terminate();
      throw new Error(
        'Command requires credential input. For security, please run this command manually in your terminal: ' + 
        command
      );
    }
  });
  
  // Continue with normal execution...
}

2. Add Input Validation to ask_user Tool

// In tools/ask_user.ts

const SENSITIVE_KEYWORDS = [
  'password',
  'passphrase', 
  'credential',
  'token',
  'secret',
  'api key',
  'private key',
  'ssh key'
];

function validateQuestion(question: string): void {
  const lowerQuestion = question.toLowerCase();
  
  for (const keyword of SENSITIVE_KEYWORDS) {
    if (lowerQuestion.includes(keyword)) {
      throw new Error(
        'Security policy violation: ask_user cannot be used to request credentials. ' +
        'Users must enter sensitive information directly in their terminal.'
      );
    }
  }
}

async function askUser(question: string, choices?: string[]) {
  validateQuestion(question);
  
  // Continue with normal ask_user logic...
}

3. Pre-command Validation

// In command executor (e.g., agent/executor.ts)

const CREDENTIAL_COMMANDS = [
  'ssh',
  'sudo',
  'su',
  'ssh-keygen',
  'gpg',
  'git clone',
  'git push',
  'git pull',
  'git fetch'
];

function requiresInteractiveAuth(command: string): boolean {
  const lowerCmd = command.toLowerCase().trim();
  return CREDENTIAL_COMMANDS.some(cmd => lowerCmd.startsWith(cmd));
}

async function executeCommand(command: string) {
  if (requiresInteractiveAuth(command)) {
    // Check if SSH agent is available
    const hasSSHAgent = await checkSSHAgent();
    
    if (!hasSSHAgent) {
      return {
        warning: true,
        message: 'This command may require credential input. Consider using ssh-agent or run manually.',
        suggestion: 'eval "$(ssh-agent -s)" && ssh-add ~/.ssh/id_rsa'
      };
    }
  }
  
  // Continue with execution...
}

4. Output Sanitization

// In logging/output handler

function sanitizeOutput(output: string): string {
  // Redact potential credential prompts from logs
  return output
    .replace(/Enter passphrase for key.*$/gm, '[CREDENTIAL PROMPT DETECTED - REDACTED]')
    .replace(/password:.*$/gim, '[PASSWORD PROMPT - REDACTED]')
    .replace(/\[sudo\] password.*$/gm, '[SUDO PROMPT - REDACTED]');
}

5. Agent Instructions Enhancement

Add to the agent's system prompt:

CRITICAL SECURITY RULE:
- NEVER use ask_user to request passwords, passphrases, tokens, or credentials
- If a bash command requires credential input, STOP and instruct the user to run it manually
- Suggest using ssh-agent, credential helpers, or environment variables instead
- If you detect a credential prompt in command output, immediately terminate and explain

Testing

Add integration tests:

describe('Credential Security', () => {
  it('should reject ask_user with password question', async () => {
    await expect(askUser('Enter your password:')).rejects.toThrow('Security policy violation');
  });
  
  it('should detect SSH passphrase prompt', async () => {
    const output = 'Enter passphrase for key /Users/test/.ssh/id_rsa:';
    expect(detectsCredentialPrompt(output)).toBe(true);
  });
  
  it('should warn about git commands without ssh-agent', async () => {
    const result = await executeCommand('git push');
    expect(result.warning).toBe(true);
  });
});

This comprehensive fix addresses the vulnerability at multiple layers: prevention, detection, and response.

[saxenasaksham]

Though I've +1 to the issue, but this is huge. I started using Copilot CLI yesterday, noticed this, and was super shocked how dumb this was.

[vladimir-zagray-coral-team]

SENSITIVE_KEYWORDS approach won't work, because the user can use non-English words instead of them, e.g. "mot de passe" instead of "password".