From 270db974919311a581534e5ddbe6c96a61c4fec0 Mon Sep 17 00:00:00 2001
From: Rob Gill <rrobgill@protonmail.com>
Date: Sat, 14 Mar 2026 04:20:41 +1000
Subject: [PATCH 1/2] Prevent credential leakage via curl process information
 Use a heredoc to pass the SID, password and totp to curl so they don't appear
 in process list.

Signed-off-by: Rob Gill <rrobgill@protonmail.com>
---
 padd.sh | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/padd.sh b/padd.sh
index 21e3c4c..d20fb3c 100755
--- a/padd.sh
+++ b/padd.sh
@@ -274,7 +274,13 @@ DeleteSession() {
     # SID is not null (successful authenthication only), delete the session
     if [ "${validSession}" = true ] && [ "${SID}" != null ]; then
         # Try to delete the session. Omit the output, but get the http status code
-        deleteResponse=$(curl --connect-timeout 2 -skS -o /dev/null -w "%{http_code}" -X DELETE "${API_URL}auth"  -H "Accept: application/json" -H "sid: ${SID}")
+        # SID is passed via stdin config (-K -) to prevent leakage via process information
+        deleteResponse=$(curl --connect-timeout 2 -skS -o /dev/null -w "%{http_code}" -X DELETE "${API_URL}auth" \
+            -H "Accept: application/json" \
+            -K - <<EOF
+header = "sid: ${SID}"
+EOF
+)
 
         printf "\n\n"
         case "${deleteResponse}" in
@@ -289,7 +295,13 @@ DeleteSession() {
 }
 
 Authenticate() {
-    sessionResponse="$(curl --connect-timeout 2 -skS -X POST "${API_URL}auth" --user-agent "PADD ${padd_version}" --data "{\"password\":\"${password}\", \"totp\":${totp:-null}}" )"
+    sessionResponse="$(curl --connect-timeout 2 -skS -X POST "${API_URL}auth" \
+        --user-agent "PADD ${padd_version}" \
+        -H "Content-Type: application/json" \
+        --data-binary @- <<EOF
+{"password":"${password}", "totp":${totp:-null}}
+EOF
+)"
 
     if [ -z "${sessionResponse}" ]; then
         moveXOffset; echo "No response from FTL server. Please check connectivity and use the options to set the API URL"
@@ -311,7 +323,13 @@ GetFTLData() {
     local status
 
     # get the data from querying the API as well as the http status code, include delimiter for ease in splitting payload
-    response=$(curl --connect-timeout 2 -sk -w ">>%{http_code}" -X GET "${API_URL}$1$2" -H "Accept: application/json" -H "sid: ${SID}" )
+    # SID is passed via stdin config (-K -) to prevent leakage via process information
+    response=$(curl --connect-timeout 2 -sk -w ">>%{http_code}" -X GET "${API_URL}$1$2" \
+        -H "Accept: application/json" \
+        -K - <<EOF
+header = "sid: ${SID}"
+EOF
+)
 
     # status is the response http_code, eg. 200, 401.
     # Shell parameter expansion, remove everything up to and including the >> delim

From 2b63af4b138a3c319f8e03a566ad5a4e0b4fdf10 Mon Sep 17 00:00:00 2001
From: yubiuser <github@yubiuser.dev>
Date: Sat, 21 Mar 2026 20:49:13 +0100
Subject: [PATCH 2/2] Add comment about password/totp as binary data

Signed-off-by: yubiuser <github@yubiuser.dev>
---
 padd.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/padd.sh b/padd.sh
index 39576f0..8e28ab5 100755
--- a/padd.sh
+++ b/padd.sh
@@ -295,6 +295,7 @@ EOF
 }
 
 Authenticate() {
+    # password and totp are passed via stdin as binary-data to prevent leakage via process information
     sessionResponse="$(curl --connect-timeout 2 -skS -X POST "${API_URL}auth" \
         --user-agent "PADD ${padd_version}" \
         -H "Content-Type: application/json" \