jsre: leave out lines from history possibly containing passwords

[zelig]

Currently the js console keeps a history. If you use methods of the personal module, and give your password as an argument, it ends up in the history file in cleartext.

The situation is worse, since the js console currently does not even allow interactive password input, so supplying it as argument is the only option.

Ideally blanking out password arguments should result in history entries like: personal.newAccount(XXXXX), however finding the right argument is very hard, a line could look like this:

personal.unlockAccount(complex(method(arg0, arg1, arg2)), "password"))

potentially several calls within complex expression.

Due to lack of a better solution, I blank the entire line if it contains a personal command just to be on the safe side.

[robotally]

Vote	Count	Reviewers
👍	2	@fjl @obscuren
👎	1	@bas-vk

Updated: Mon Aug 3 14:33:09 UTC 2015

[obscuren]

This PR is adequate 👍

[bas-vk]

👎

something like: personal. unlockAccount(...., ....) will still end up in the history. Ik would recommend trimming any spaces before the regex check.

[obscuren]

@bas-vk this is a hot fix, a quick and dirty solution for a silly problem. It's not supposed to be a all catching, ever lasting solution :-)

[bas-vk]

I absolutely agree on that, the real solution would be not to pass any sensitive information through arguments. But a little bit of normalization of the input can catch basic typo's.

[zelig]

@bas-vk is right, i will add optional whitespace
also we should purge all these lines from the existing history and rewrite on startup ok?

typos like peronal.newAccount("password") and things like

p = "password"
personal.unlockAccount(primary, p)

will still give it away, but these are really the user's fault, cannot to anything

[fjl]

👍