Copilot CLI prompts for WSL sudo password without obscuring input (password echoed) #2542
Description
Summary
When GitHub Copilot CLI prompts for a WSL sudo password (to forward it into the WSL prompt), the typed password characters are not obscured and appear on screen in plain text. This is a security risk and can lead to password disclosure (e.g., during screen sharing, recordings, or over-the-shoulder viewing).
Steps to Reproduce
- Run Copilot CLI in a scenario where it needs elevated privileges inside WSL (sudo).
- When prompted with something like:
Please enter your WSL sudo password (I'll send it to the prompt): - Type the sudo password.
Expected Behavior
Password input should be obscured (no echo), similar to standard terminal password prompts:
- No visible characters while typing, or
- Use a secure prompt mechanism that disables echo.
Actual Behavior
Password characters are visible while typing (echoed to the terminal).
Impact / Security Considerations
- Risk of password exposure during screen shares, demos, live streams, recordings, or in shared work environments.
- Potential leakage into terminal logs depending on the host shell/terminal configuration.
Environment
OS: Windows (using WSL)
WSL distro: Ubuntu (WSL 2)
Copilot CLI version: 1.0.19
Terminal: Windows Terminal
Shell: PowerShell Core 7.6.0
Suggested Fix / Notes
- Use a proper no-echo password input method on Windows terminals (e.g., a secure prompt / TTY no-echo).
- Ensure the password is not printed, logged, or stored, and is only forwarded to the target sudo prompt.