🛡️ Sentinel: Fix injection risks and logic bugs in entrypoint.sh

[bluPhy]

🛡️ Sentinel Security Fixes

Severity: HIGH

Vulnerability:

1. Argument Injection/Globbing: Unquoted variables in adduser and VPNCMD_* execution allowed shell globbing. A password like * could expand to filenames, leaking information or causing unexpected behavior.
2. Logic Bug: The loop processing VPNCMD_SERVER and VPNCMD_HUB was broken. It only executed the first command in the list, ignoring subsequent commands.
3. Format String: printf " $1" is theoretically vulnerable to format string attacks if $1 contains %.

Fix:

1. Quoted all variable expansions in adduser.
2. Refactored VPNCMD_* loops to correctly split by semicolon and iterate.
3. Used set -f (disable globbing) + set +f around dynamic command execution to allow word splitting (for arguments) but prevent wildcard expansion.
4. Used printf " %s" "$1" for safe printing.
5. Added read -r to preserve backslashes in inputs.

Verification:
Verified with a test script simulating adduser calls and VPNCMD loop processing, confirming correct argument handling and glob prevention. Ran bash -n to verify syntax.

---

PR created automatically by Jules for task 1117922649488346055 started by @bluPhy

Summary by CodeRabbit

• Security
  • Fixed shell variable expansion vulnerability that could lead to command injection and argument hijacking in entrypoint configuration.
  • Improved handling of user credentials and VPN commands with proper input validation and special character processing.
  • Enhanced robustness to prevent word-splitting and misinterpretation of configuration parameters.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Walkthrough

A new security documentation file is added to document shell variable expansion vulnerabilities, and an entrypoint shell script is hardened by improving string quoting, input parsing with read -r, and command handling to prevent word-splitting and potential injection attacks.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	New security note documenting unquoted variable expansion vulnerabilities in shell scripts, specifically addressing command injection and argument hijacking risks with prevention guidance.
Script Hardening copyables/entrypoint.sh	Improved string quoting for user creation arguments, stronger input parsing with read -r, robust VPN command parsing into arrays with whitespace trimming, and globbing safety controls using set -f/set +f around command execution.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Shell scripts need quoting, oh what a sight!
Variables wrapped in quotes, keeping exploits tight,
No more unquoted expansion causing a mess,
With set -f and arrays, we pass the security test!
hops triumphantly 🐇

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main changes: fixing injection risks and logic bugs in entrypoint.sh, which aligns with the core objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sentinel-entrypoint-fix-1117922649488346055

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @bluPhy, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request delivers critical security enhancements and bug fixes to the entrypoint.sh script. The primary goal is to eliminate potential command injection risks, address shell globbing vulnerabilities, and correct a logic error that prevented multiple VPNCMD commands from executing as intended. These changes significantly improve the robustness and security posture of the Sentinel entrypoint script.

Highlights

• Security Fix: Argument Injection and Globbing: Unquoted variables in adduser and VPNCMD_* command executions were vulnerable to shell globbing and argument injection. This has been fixed by consistently quoting variable expansions and using set -f and set +f around dynamic command execution to prevent wildcard expansion while allowing word splitting.
• Logic Bug Fix: VPNCMD Command Execution: The previous implementation for processing VPNCMD_SERVER and VPNCMD_HUB variables only executed the first command in a semicolon-separated list. The logic has been refactored to correctly parse and execute all commands provided in these variables.
• Security Fix: Format String Vulnerability: The printf " $1" statement in the adduser function was theoretically vulnerable to format string attacks if $1 contained format specifiers. This has been corrected to printf " %s" "$1" for safe printing.
• Improved Input Handling: The read command used for parsing user credentials now includes the -r option (read -r username password), which prevents backslash interpretation, ensuring that input strings are read literally.
• Documentation of Vulnerability: A new markdown file (.jules/sentinel.md) has been added to document the unquoted variable expansion vulnerability, its learning, and prevention methods.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively addresses several high-severity security risks, including argument injection, globbing, and format string vulnerabilities, and fixes a logic bug in command processing. However, the refactored loops for processing VPNCMD_SERVER and VPNCMD_HUB introduce new logic bugs that prevent the use of arguments with spaces and quotes. Additionally, these sensitive environment variables are not cleared after use, leading to potential information exposure. There are also opportunities to improve script performance by using shell built-ins instead of forking external processes in a loop.

[gemini-code-assist]

The current use of echo | xargs to trim whitespace followed by unquoted expansion of $cmd introduces a logic bug, breaking the ability to pass arguments with spaces and quotes. xargs strips quotes and backslashes, and unquoted expansion performs word splitting, causing commands like UserCreate "my user" to fail. Additionally, echo "$cmd" can misinterpret commands starting with a hyphen. For improved robustness and performance, consider using a shell built-in like read for trimming whitespace to avoid forking new processes, or use xargs to execute the command directly, which correctly handles quoted arguments and whitespace.

Suggested change

	cmd=$(echo "$cmd" | xargs)
	if [[ -n "$cmd" ]]; then
	set -f
	vpncmd_server $cmd
	read -r cmd <<< "$cmd"

[gemini-code-assist]

The environment variables VPNCMD_SERVER and VPNCMD_HUB may contain sensitive management commands and passwords. These are not cleared after use, allowing subsequent processes to read them. They should be masked after the loops finish executing to prevent information exposure. While the provided suggestion addresses the masking, consider optimizing the echo | xargs pipeline for trimming whitespace within these loops for better performance by using shell built-ins instead of forking new processes.

  if [[ $VPNCMD_SERVER ]]; then
    IFS=";" read -ra COMMANDS <<<"$VPNCMD_SERVER"
    for cmd in "${COMMANDS[@]}"; do
      # trim whitespace
      cmd=$(echo "$cmd" | xargs)
      if [[ -n "$cmd" ]]; then
        set -f
        vpncmd_server $cmd
        set +f
      fi
    done
    export VPNCMD_SERVER='**'
  fi

  if [[ $VPNCMD_HUB ]]; then
    IFS=";" read -ra COMMANDS <<<"$VPNCMD_HUB"
    for cmd in "${COMMANDS[@]}"; do
      # trim whitespace
      cmd=$(echo "$cmd" | xargs)
      if [[ -n "$cmd" ]]; then
        set -f
        vpncmd_hub $cmd
        set +f
      fi
    done
    export VPNCMD_HUB='**'
  fi

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @.jules/sentinel.md:
- Around line 1-4: Update the date in the header "## 2025-02-02 - Unquoted
Variable Expansion in Entrypoint Scripts" to the correct date for this PR (e.g.,
"## 2026-02-02 - Unquoted Variable Expansion in Entrypoint Scripts") or confirm
and document if the original 2025-02-02 is intentional; ensure the header line
is the only change and keep the rest of the note unchanged.

In `@copyables/entrypoint.sh`:
- Around line 159-168: The loops reading VPNCMD_SERVER (and the similar
VPNCMD_CLIENT loop) currently use cmd=$(echo "$cmd" | xargs) which strips
quotes/backslashes and breaks quoted arguments; replace the xargs trimming with
POSIX/Bash parameter-expansion trimming to preserve quotes/backslashes, e.g.
trim leading/trailing whitespace via cmd="${cmd#"${cmd%%[![:space:]]*}"}";
cmd="${cmd%"${cmd##*[![:space:]]}"}", and then call vpncmd_server (and other
vpncmd_* functions) with the trimmed value quoted like vpncmd_server "$cmd"
(keep set -f/set +f as needed to disable globbing).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Confirm the date in the security note.

Line 1 records 2025-02-02, but this PR is dated 2026-02-02; please verify the intended date for the entry.

🤖 Prompt for AI Agents

In @.jules/sentinel.md around lines 1 - 4, Update the date in the header "##
2025-02-02 - Unquoted Variable Expansion in Entrypoint Scripts" to the correct
date for this PR (e.g., "## 2026-02-02 - Unquoted Variable Expansion in
Entrypoint Scripts") or confirm and document if the original 2025-02-02 is
intentional; ensure the header line is the only change and keep the rest of the
note unchanged.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's find and examine the entrypoint.sh file
find . -name "entrypoint.sh" -type f

Repository: bluPhy/docker-softether

Length of output: 92

---

🏁 Script executed:

# Check the lines mentioned in the review (159-168 and 172-181)
sed -n '150,190p' copyables/entrypoint.sh

Repository: bluPhy/docker-softether

Length of output: 1041

---

🏁 Script executed:

# Run the repro script from the review to verify xargs behavior
bash <<'EOF'
#!/bin/bash
cmd='UserPasswordSet /PASSWORD:"a b"'
trimmed="$(echo "$cmd" | xargs)"
echo "xargs: $trimmed"
set -f
set -- $trimmed
printf 'args(%d):\n' "$#"
printf ' - %s\n' "$@"
EOF

Repository: bluPhy/docker-softether

Length of output: 151

---

🏁 Script executed:

# Test the proposed sed fix
bash <<'EOF'
#!/bin/bash
cmd='UserPasswordSet /PASSWORD:"a b"'
trimmed="$(sed -e 's/^[[:space:]]*//; s/[[:space:]]*$//' <<<"$cmd")"
echo "sed: $trimmed"
set -f
set -- $trimmed
printf 'args(%d):\n' "$#"
printf ' - %s\n' "$@"
EOF

Repository: bluPhy/docker-softether

Length of output: 153

---

xargs trimming removes quotes/backslashes from VPNCMD commands, breaking quoted arguments.

Lines 159-168 and 172-181 use xargs for whitespace trimming, which strips quotes and performs word splitting. Commands with quoted arguments (e.g., /PASSWORD:"a b") lose their quotes, resulting in malformed arguments passed to vpncmd_* functions.

🔧 Suggested fix (preserve quotes/backslashes while trimming)

-    for cmd in "${COMMANDS[@]}"; do
-      # trim whitespace
-      cmd=$(echo "$cmd" | xargs)
+    for cmd in "${COMMANDS[@]}"; do
+      # trim whitespace without stripping quotes/backslashes
+      cmd="$(sed -e 's/^[[:space:]]*//; s/[[:space:]]*$//' <<<"$cmd")"
       if [[ -n "$cmd" ]]; then
         set -f
         vpncmd_server $cmd
         set +f
       fi
     done
@@
-    for cmd in "${COMMANDS[@]}"; do
-      # trim whitespace
-      cmd=$(echo "$cmd" | xargs)
+    for cmd in "${COMMANDS[@]}"; do
+      # trim whitespace without stripping quotes/backslashes
+      cmd="$(sed -e 's/^[[:space:]]*//; s/[[:space:]]*$//' <<<"$cmd")"
       if [[ -n "$cmd" ]]; then
         set -f
         vpncmd_hub $cmd
         set +f
       fi
     done

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	IFS=";" read -ra COMMANDS <<<"$VPNCMD_SERVER"
	for cmd in "${COMMANDS[@]}"; do
	# trim whitespace
	cmd=$(echo "$cmd" | xargs)
	if [[ -n "$cmd" ]]; then
	set -f
	vpncmd_server $cmd
	set +f
	fi
	done
	IFS=";" read -ra COMMANDS <<<"$VPNCMD_SERVER"
	for cmd in "${COMMANDS[@]}"; do
	# trim whitespace without stripping quotes/backslashes
	cmd="$(sed -e 's/^[[:space:]]*//; s/[[:space:]]*$//' <<<"$cmd")"
	if [[ -n "$cmd" ]]; then
	set -f
	vpncmd_server $cmd
	set +f
	fi
	done

🤖 Prompt for AI Agents

In `@copyables/entrypoint.sh` around lines 159 - 168, The loops reading
VPNCMD_SERVER (and the similar VPNCMD_CLIENT loop) currently use cmd=$(echo
"$cmd" | xargs) which strips quotes/backslashes and breaks quoted arguments;
replace the xargs trimming with POSIX/Bash parameter-expansion trimming to
preserve quotes/backslashes, e.g. trim leading/trailing whitespace via
cmd="${cmd#"${cmd%%[![:space:]]*}"}"; cmd="${cmd%"${cmd##*[![:space:]]}"}", and
then call vpncmd_server (and other vpncmd_* functions) with the trimmed value
quoted like vpncmd_server "$cmd" (keep set -f/set +f as needed to disable
globbing).