Filter sensitive history items and avoid writing them to the history file (#1058)

Author: daxian-dbw

PSReadLine/Cmdlets.cs

@@ -57,6 +57,13 @@ public enum HistorySaveStyle
         SaveNothing
     }
 
+    public enum AddToHistoryOption
+    {
+        SkipAdding,
+        MemoryOnly,
+        MemoryAndFile
+    }
+
     public class PSConsoleReadLineOptions
     {
         public const ConsoleColor DefaultCommentColor   = ConsoleColor.DarkGreen;
@@ -135,7 +142,7 @@ public PSConsoleReadLineOptions(string hostName)
             ContinuationPrompt = DefaultContinuationPrompt;
             ContinuationPromptColor = Console.ForegroundColor;
             ExtraPromptLineCount = DefaultExtraPromptLineCount;
-            AddToHistoryHandler = null;
+            AddToHistoryHandler = DefaultAddToHistoryHandler;
             HistoryNoDuplicates = DefaultHistoryNoDuplicates;
             MaximumHistoryCount = DefaultMaximumHistoryCount;
             MaximumKillRingCount = DefaultMaximumKillRingCount;
@@ -237,10 +244,12 @@ public object ContinuationPromptColor
 
         /// <summary>
         /// This handler is called before adding a command line to history.
-        /// The return value indicates if the command line should be added
-        /// to history or not.
+        /// The return value indicates if the command line should be skipped,
+        /// or added to memory only, or added to both memory and history file.
         /// </summary>
-        public Func<string, bool> AddToHistoryHandler { get; set; }
+        public Func<string, object> AddToHistoryHandler { get; set; }
+        public static readonly Func<string, object> DefaultAddToHistoryHandler =
+            s => PSConsoleReadLine.GetDefaultAddToHistoryOption(s);
 
         /// <summary>
         /// This handler is called from ValidateAndAcceptLine.
@@ -514,7 +523,7 @@ public SwitchParameter HistoryNoDuplicates
 
         [Parameter]
         [AllowNull]
-        public Func<string, bool> AddToHistoryHandler
+        public Func<string, object> AddToHistoryHandler
         {
             get => _addToHistoryHandler;
             set
@@ -523,7 +532,7 @@ public Func<string, bool> AddToHistoryHandler
                 _addToHistoryHandlerSpecified = true;
             }
         }
-        private Func<string, bool> _addToHistoryHandler;
+        private Func<string, object> _addToHistoryHandler;
         internal bool _addToHistoryHandlerSpecified;
 
         [Parameter]

PSReadLine/History.cs

@@ -7,7 +7,9 @@
 using System.Diagnostics;
 using System.IO;
 using System.Linq;
+using System.Management.Automation;
 using System.Text;
+using System.Text.RegularExpressions;
 using System.Threading;
 using Microsoft.PowerShell.PSReadLine;
 
@@ -51,6 +53,7 @@ public class HistoryItem
             public bool FromHistoryFile { get; internal set; }
 
             internal bool _saved;
+            internal bool _sensitive;
             internal List<EditItem> _edits;
             internal int _undoEditIndex;
         }
@@ -76,29 +79,60 @@ public class HistoryItem
         private const string _failedForwardISearchPrompt = "failed-fwd-i-search: ";
         private const string _failedBackwardISearchPrompt = "failed-bck-i-search: ";
 
-        private string MaybeAddToHistory(
-            string result,
-            List<EditItem> edits,
-            int undoEditIndex,
-            bool fromDifferentSession = false,
-            bool fromInitialRead = false)
+        // Pattern used to check for sensitive inputs.
+        private static readonly Regex s_sensitivePattern = new Regex(
+            "password|asplaintext|token|key|secret",
+            RegexOptions.Compiled | RegexOptions.IgnoreCase);
+
+        private AddToHistoryOption GetAddToHistoryOption(string line)
         {
-            bool AddToHistory(string line)
+            // Whitespace only is useless, never add.
+            if (string.IsNullOrWhiteSpace(line))
+            {
+                return AddToHistoryOption.SkipAdding;
+            }
+
+            // Under "no dupes" (which is on by default), immediately drop dupes of the previous line.
+            if (Options.HistoryNoDuplicates && _history.Count > 0 &&
+                string.Equals(_history[_history.Count - 1].CommandLine, line, StringComparison.Ordinal))
             {
-                // Whitespace only is useless, never add.
-                if (string.IsNullOrWhiteSpace(line)) return false;
+                return AddToHistoryOption.SkipAdding;
+            }
 
-                // If the user says don't add it, then don't.
-                if (Options.AddToHistoryHandler != null && !Options.AddToHistoryHandler(result)) return false;
+            if (Options.AddToHistoryHandler != null)
+            {
+                if (Options.AddToHistoryHandler == PSConsoleReadLineOptions.DefaultAddToHistoryHandler)
+                {
+                    // Avoid boxing if it's the default handler.
+                    return GetDefaultAddToHistoryOption(line);
+                }
 
-                // Under "no dupes" (which is on by default), immediately drop dupes of the previous line.
-                if (Options.HistoryNoDuplicates && _history.Count > 0)
-                    return !string.Equals(_history[_history.Count - 1].CommandLine, result, StringComparison.Ordinal);
+                object value = Options.AddToHistoryHandler(line);
 
-                return true;
+                if (LanguagePrimitives.TryConvertTo(value, out AddToHistoryOption enumValue))
+                {
+                    return enumValue;
+                }
+
+                if (value is bool boolValue && !boolValue)
+                {
+                    return AddToHistoryOption.SkipAdding;
+                }
             }
 
-            if (AddToHistory(result))
+            // Add to both history queue and file by default.
+            return AddToHistoryOption.MemoryAndFile;
+        }
+
+        private string MaybeAddToHistory(
+            string result,
+            List<EditItem> edits,
+            int undoEditIndex,
+            bool fromDifferentSession = false,
+            bool fromInitialRead = false)
+        {
+            var addToHistoryOption = GetAddToHistoryOption(result);
+            if (addToHistoryOption != AddToHistoryOption.SkipAdding)
             {
                 var fromHistoryFile = fromDifferentSession || fromInitialRead;
                 _previousHistoryItem = new HistoryItem
@@ -110,14 +144,16 @@ bool AddToHistory(string line)
                     FromOtherSession = fromDifferentSession,
                     FromHistoryFile = fromInitialRead,
                 };
+
                 if (!fromHistoryFile)
                 {
+                    // 'MemoryOnly' indicates sensitive content in the command line
+                    _previousHistoryItem._sensitive = addToHistoryOption == AddToHistoryOption.MemoryOnly;
                     _previousHistoryItem.StartTime = DateTime.UtcNow;
                 }
 
                 _history.Enqueue(_previousHistoryItem);
 
-
                 _currentHistoryIndex = _history.Count;
 
                 if (_options.HistorySaveStyle == HistorySaveStyle.SaveIncrementally && !fromHistoryFile)
@@ -169,7 +205,6 @@ private void SaveHistoryAtExit()
             WriteHistoryRange(0, _history.Count - 1, File.CreateText);
         }
 
-
         private int historyErrorReportedCount;
         private void ReportHistoryFileError(Exception e)
         {
@@ -241,8 +276,13 @@ private void WriteHistoryRange(int start, int end, Func<string, StreamWriter> fi
                     {
                         for (var i = start; i <= end; i++)
                         {
-                            _history[i]._saved = true;
-                            var line = _history[i].CommandLine.Replace("\n", "`\n");
+                            HistoryItem item = _history[i];
+                            item._saved = true;
+
+                            // Actually, skip writing sensitive items to file.
+                            if (item._sensitive) { continue; }
+
+                            var line = item.CommandLine.Replace("\n", "`\n");
                             file.WriteLine(line);
                         }
                     }
@@ -335,6 +375,13 @@ void UpdateHistoryFromFile(IEnumerable<string> historyLines, bool fromDifferentS
             }
         }
 
+        public static AddToHistoryOption GetDefaultAddToHistoryOption(string line)
+        {
+            return s_sensitivePattern.IsMatch(line)
+                ? AddToHistoryOption.MemoryOnly
+                : AddToHistoryOption.MemoryAndFile;
+        }
+
         /// <summary>
         /// Add a command to the history - typically used to restore
         /// history from a previous session.

docs/Set-PSReadLineOption.md

@@ -21,7 +21,7 @@ Set-PSReadLineOption
  [-PromptText <string>]
  [-ExtraPromptLineCount <Int32>]
  [-Colors <Hashtable>]
- [-AddToHistoryHandler <Func[String, Boolean]>]
+ [-AddToHistoryHandler <Func[String, Object]>]
  [-CommandValidationHandler <Action[CommandAst]>]
  [-ContinuationPrompt <String>]
  [-HistorySearchCursorMovesToEnd]
@@ -192,13 +192,34 @@ Accept wildcard characters: False
 
 ### -AddToHistoryHandler
 
-Specifies a ScriptBlock that can be used to control which commands get added to PSReadLine history.
+Specifies a ScriptBlock that can be used to control which commands get added to PSReadLine history,
+and whether they should be saved to the history file.
+
+The ScriptBlock is passed the command line, and it is expected to return either a Boolean value,
+or an enum value of the type `[Microsoft.PowerShell.AddToHistoryOption]`.
+The enum type `AddToHistoryOption` has 3 members: `SkipAdding`, `MemoryOnly`, and `MemoryAndFile`.
+
+If the ScriptBlock returns `$true`, it's equivalent to `AddToHistoryOption.MemoryAndFile`.
+The command line is added to the in-memory history queue and saved to the history file.
+If the ScriptBlock returns `$false`, it's equivalent to `AddToHistoryOption.SkipAdding`,
+and the command line is not added to history at all.
+
+If the ScriptBlock returns `AddToHistoryOption.MemoryOnly`, then the command line is added to the in-memory history queue,
+but will not be saved to the history file.
+This usually indicates the command line has sensitive content that should not be written to disk.
+
+PSReadLine provides a default handler to this option:
+    `[Microsoft.PowerShell.PSConsoleReadLine]::GetDefaultAddToHistoryOption(string line)`
+The default handler attempts to detect sensitive information in a command line by matching with a simple regex pattern:
+    `"password|asplaintext|token|key|secret"`
+When successfully matched, the command line is considered to contain sensitive content, and `MemoryOnly` is returned.
+Otherwise, `MemoryAndFile` is returned.
+
+To turn off the default handler, just set this option to `$null`.
 
-The ScriptBlock is passed the command line.
-If the ScriptBlock returns `$true`, the command line is added to history, otherwise it is not.
 
 ```yaml
-Type: Func[String, Boolean]
+Type: Func[String, Object]
 Parameter Sets: (All)
 Aliases: