Fix password echo security issue in web terminal

- Add passwordMode flag to detect password prompts from SSH server - Disable local echo when password prompts are detected (Password:, password:, etc.) - Re-enable echo after password is submitted (on Enter key or new prompt) - Reset passwordMode on disconnect for clean state - Maintain security by not displaying passwords in plain text - Preserve normal command echo for non-password input

Fix password echo security issue in web terminal
- Add passwordMode flag to detect password prompts from SSH server - Disable local echo when password prompts are detected (Password:, password:, etc.) - Re-enable echo after password is submitted (on Enter key or new prompt) - Reset passwordMode on disconnect for clean state - Maintain security by not displaying passwords in plain text - Preserve normal command echo for non-password input
c0b3a4bd · nextime · 09245516 · c0b3a4bd
Commit c0b3a4bd authored Sep 15, 2025 by nextime
Show whitespace changes
Inline Side-by-side

Showing with 26 additions and 4 deletions

terminal.html templates/terminal.html +26 -4

No files found.
--- a/templates/terminal.html
+++ b/templates/terminal.html
@@ -34,6 +34,7 @@ let term = null;
 let connected = false;
 let requestId = null;
 let pollInterval = null;
+let passwordMode = false;
 document.getElementById('connectBtn').addEventListener('click', connect);
 document.getElementById('disconnectBtn').addEventListener('click', disconnect);
@@ -137,13 +138,20 @@ function connect() {
        if (data === '\r' || data === '\n') {
            // Enter key - let server handle the command execution
            term.write('\r\n');
+            // Exit password mode after enter
+            passwordMode = false;
        } else if (data === '\x7f' || data === '\b') {
-            // Backspace - handle locally
+            // Backspace - handle locally only if not in password mode
+            if (!passwordMode) {
                term.write('\b \b');
+            }
        } else if (data >= ' ' && data <= '~') {
-            // Printable characters - echo locally
+            // Printable characters - echo locally only if not in password mode
+            if (!passwordMode) {
                term.write(data);
            }
+            // Stay in password mode for printable characters
+        }
        // Send data to server
        fetch('/terminal/{{ client_id }}/data', {
@@ -158,6 +166,7 @@ function connect() {
 function disconnect() {
    connected = false;
+    passwordMode = false; // Reset password mode
    document.getElementById('connectBtn').disabled = false;
    document.getElementById('disconnectBtn').disabled = true;
    document.getElementById('sshUsername').disabled = false;
@@ -189,6 +198,19 @@ function pollData() {
    .then(response => response.text())
    .then(data => {
        if (data) {
+            // Check for password prompts
+            if (data.toLowerCase().includes('password:') ||
+                data.toLowerCase().includes('password for') ||
+                data.toLowerCase().includes('enter passphrase')) {
+                passwordMode = true;
+            }
+            // Check for end of password prompt (new prompt or command output)
+            if (passwordMode && (data.includes('$ ') || data.includes('# ') ||
+                data.includes('> ') || data.includes('\n$') || data.includes('\n#'))) {
+                passwordMode = false;
+            }
            // Ensure proper line ending handling
            term.write(data.replace(/\n/g, '\r\n'));
        }