Problem

I am new to Rust and working through the Rust Book.

cargo login's default syntax encourages users to pass their secret registry authentication token on the command line, e.g. cargo login [token]. The Rust Book also encourages this syntax.

The cargo login manpage makes it clear that this value requires protection:

Take care to keep the token secret, it should not be shared with anyone else.

However, in general, passing any secret as a command-line argument creates significant and unnecessary security risk. It is significant for at least these reasons:

• While the cargo login command is running, its arguments are visible to all users on the system. A malicious user monitoring processes could easily steal the token.
• The token is saved in the user's shell history file. Some shells may limit permissions on this file to only that user, but this is not guaranteed, and, regardless, exposes the token in a place the user may not anticipate.
• Users may be working on systems that monitor and log the commands they execute, such that the token could be persisted into a centralized logging system with even more relaxed access permissions and many potential vulnerabilities.

And it is unnecessary because there are other options available that do not create this risk:

• cargo login could be modified to prompt the user for input, using normal shell conventions for entering a password, and not echoing text back to the console. cargo login shows passwords in plain text #7813 touches on this.
  • This, of course, could lead to the token being persisted in a clipboard manager if it is copy/pasted, but mitigating that risk is out of scope for this issue and present regardless.
• The user could write the token into a file or a shell-oriented password manager like pass and pipe it into cargo login to avoid exposure.
• Even without modifications to cargo login, if using bash, and possibly some other shells, the user could use this combination of commands to avoid exposure:

IFS='' read -r -s token
cargo login <<< "$token"
unset token

I am honestly surprised that I could not find any duplicate issues for this, and I apologize if I have missed one that explains the rationale behind the current design. Likewise, I am not using the security vulnerability disclosure process for this bug report, as it is based entirely on public and obvious information.

However, I do believe that this is insecure by design, and encourages Rust developers to adopt patterns that are widely known to be insecure.

Steps

No response

Possible Solution(s)

No response

Notes

No response

Version

No response