🛡️ Sentinel: [MEDIUM] Fix shell script quoting and globbing vulnerabilities

[bluPhy]

This PR addresses multiple shell scripting vulnerabilities in copyables/entrypoint.sh. It enforces strict variable quoting, disables backslash interpretation in read, prevents format string injection, and safely handles dynamic command execution by disabling globbing. This ensures robust handling of user credentials and configuration commands.

---

PR created automatically by Jules for task 209830914703777865 started by @bluPhy

Summary by CodeRabbit

Release Notes

• Bug Fixes

  • Strengthened shell script security by improving variable quoting and input parsing to prevent unintended word-splitting, data loss, and potential injection vulnerabilities.

• Documentation

  • Added security documentation detailing best practices for variable quoting, safe input parsing, and globbing protection to prevent common shell scripting vulnerabilities.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Walkthrough

A security documentation entry was added describing shell variable quoting and globbing vulnerabilities. Concurrently, an entrypoint shell script was hardened with consistent variable quoting, backslash-preserving read flags, and globbing controls to prevent word-splitting and unintended expansion risks.

Changes

Cohort / File(s)	Summary
Documentation .jules/sentinel.md	New note documenting shell script variable quoting vulnerability and prevention techniques: use read -r, quote variables as "$var", and control globbing with set -f/set +f.
Shell Script Hardening copyables/entrypoint.sh	Added variable quoting throughout (PSK, MTU, passwords, usernames); replaced read with read -r -a in loops to preserve literal input; introduced set -f/set +f around VPNCMD processing to prevent globbing; consistently quoted arguments in function calls and command substitutions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Quotes guard the variables from splitting spree,
Read -r keeps backslashes wild and free,
Set -f tames the globs before they roam,
Shell safety brings us comfort at home! 🛡️

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: fixing shell script quoting and globbing vulnerabilities in the codebase. It directly reflects the core purpose of the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sentinel-shell-security-fixes-209830914703777865

Important

Action Needed: IP Allowlist Update

If your organization protects your Git platform with IP whitelisting, please add the new CodeRabbit IP address to your allowlist:

• ✨ 136.113.208.247/32 (new)
• 34.170.211.100/32
• 35.222.179.152/32

Reviews will stop working after February 8, 2026 if the new IP is not added to your allowlist.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @bluPhy, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security and robustness of the entrypoint.sh script by addressing several critical shell scripting vulnerabilities. The changes ensure safer handling of sensitive configuration data and dynamic commands, mitigating risks such as data loss, command injection, and unintended file system interactions.

Highlights

• Enhanced Security through Strict Quoting: Implemented strict variable quoting in copyables/entrypoint.sh for sensitive parameters like PSK, MTU, and generated passwords, preventing word splitting and potential data truncation or misinterpretation.
• Prevention of Backslash Interpretation: Modified read commands in entrypoint.sh to include the -r option, disabling backslash interpretation during the parsing of user credentials and command strings, which enhances security and reliability.
• Mitigation of Format String Injection: Corrected printf statements in entrypoint.sh to properly quote variables (e.g., printf " %s" "$1"), thereby preventing potential format string injection vulnerabilities.
• Controlled Dynamic Command Execution: Introduced set -f and set +f around dynamic command executions within entrypoint.sh to temporarily disable globbing, ensuring that wildcards in command arguments are not expanded unintentionally.
• New Security Documentation: Added a new markdown file (.jules/sentinel.md) that documents the identified shell scripting vulnerabilities related to quoting and globbing, along with best practices for prevention.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .jules/sentinel.md
  • Added a new file documenting shell script variable quoting and globbing vulnerabilities, including learning points and prevention strategies.
• copyables/entrypoint.sh
  • Quoted variables in vpncmd_server IPsecEnable and vpncmd_hub NatSet calls to prevent word splitting for parameters like PSK and MTU.
  • Modified printf calls in the adduser function to use printf " %s" "$1" to prevent format string injection.
  • Updated read commands for parsing USERS and user/password pairs to include the -r option, preventing backslash interpretation.
  • Ensured arguments passed to the adduser function are properly quoted.
  • Wrapped dynamic vpncmd_server and vpncmd_hub command executions with set -f and set +f to disable globbing.
  • Quoted the HPW and SPW variables when setting hub and server passwords to prevent word splitting.

Activity

• The pull request was automatically created by Jules for task 209830914703777865, initiated by @bluPhy.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@copyables/entrypoint.sh`:
- Around line 158-172: The loop reading into an array CMD (via read -r -a CMD)
only ever calls vpncmd_server or vpncmd_hub with $CMD which expands to ${CMD[0]}
and drops the rest; change the inner invocation to iterate all array elements —
e.g., after read -r -a CMD, loop over for entry in "${CMD[@]}"; do vpncmd_server
"$entry"; done (and likewise for vpncmd_hub) so every parsed semicolon-separated
command is executed.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Bug: Array expansion only uses first element, dropping subsequent commands.

ShellCheck SC2128 is correct here. When read -r -a CMD parses VPNCMD_SERVER by ; delimiter, multiple commands are stored in array elements. However, $CMD (line 161) expands only to ${CMD[0]}, silently discarding all other commands.

For example, if VPNCMD_SERVER="Cmd1 arg1;Cmd2 arg2":

• CMD=("Cmd1 arg1" "Cmd2 arg2")
• Only Cmd1 arg1 is executed; Cmd2 arg2 is lost

This differs from the USERS parsing (lines 141-146) which correctly iterates with for i in "${USER[@]}".

Proposed fix to iterate over all array elements

   if [[ $VPNCMD_SERVER ]]; then
     while IFS=";" read -r -a CMD; do
-      set -f
-      vpncmd_server $CMD
-      set +f
+      for c in "${CMD[@]}"; do
+        set -f
+        vpncmd_server $c
+        set +f
+      done
     done <<<"$VPNCMD_SERVER"
   fi
 
   if [[ $VPNCMD_HUB ]]; then
     while IFS=";" read -r -a CMD; do
-      set -f
-      vpncmd_hub $CMD
-      set +f
+      for c in "${CMD[@]}"; do
+        set -f
+        vpncmd_hub $c
+        set +f
+      done
     done <<<"$VPNCMD_HUB"
   fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [[ $VPNCMD_SERVER ]]; then
	while IFS=";" read -ra CMD; do
	while IFS=";" read -r -a CMD; do
	set -f
	vpncmd_server $CMD
	set +f
	done <<<"$VPNCMD_SERVER"
	fi
	if [[ $VPNCMD_HUB ]]; then
	while IFS=";" read -ra CMD; do
	while IFS=";" read -r -a CMD; do
	set -f
	vpncmd_hub $CMD
	set +f
	done <<<"$VPNCMD_HUB"
	fi
	if [[ $VPNCMD_SERVER ]]; then
	while IFS=";" read -r -a CMD; do
	for c in "${CMD[@]}"; do
	set -f
	vpncmd_server "$c"
	set +f
	done
	done <<<"$VPNCMD_SERVER"
	fi
	if [[ $VPNCMD_HUB ]]; then
	while IFS=";" read -r -a CMD; do
	for c in "${CMD[@]}"; do
	set -f
	vpncmd_hub "$c"
	set +f
	done
	done <<<"$VPNCMD_HUB"
	fi

🧰 Tools

🪛 Shellcheck (0.11.0)

[warning] 161-161: Expanding an array without an index only gives the first element.

(SC2128)

---

[warning] 169-169: Expanding an array without an index only gives the first element.

(SC2128)

🤖 Prompt for AI Agents

In `@copyables/entrypoint.sh` around lines 158 - 172, The loop reading into an
array CMD (via read -r -a CMD) only ever calls vpncmd_server or vpncmd_hub with
$CMD which expands to ${CMD[0]} and drops the rest; change the inner invocation
to iterate all array elements — e.g., after read -r -a CMD, loop over for entry
in "${CMD[@]}"; do vpncmd_server "$entry"; done (and likewise for vpncmd_hub) so
every parsed semicolon-separated command is executed.

[gemini-code-assist]

Code Review

This pull request effectively hardens the entrypoint.sh script by implementing better variable quoting, preventing format string injection in printf, and disabling globbing during dynamic command execution, significantly improving its security and robustness. However, a critical logic error exists in the processing of VPNCMD_SERVER and VPNCMD_HUB environment variables. The current implementation only executes the first command in a semicolon-separated list, silently ignoring any additional commands, which could lead to security configurations being partially applied. This needs to be corrected to ensure all intended commands are executed.

[gemini-code-assist]

The logic for processing multiple commands in VPNCMD_SERVER is flawed. The current implementation only executes the first command, silently ignoring any additional commands. This critical vulnerability could lead to security configurations being partially applied. To ensure all commands are executed, you must iterate over all elements of the array.

Suggested change

	while IFS=";" read -r -a CMD; do
	set -f
	vpncmd_server $CMD
	set +f
	done <<<"$VPNCMD_SERVER"
	while IFS=";" read -r -a CMDS; do
	for CMD in "${CMDS[@]}"; do
	set -f
	vpncmd_server $CMD
	set +f
	done
	done <<<"$VPNCMD_SERVER"

[gemini-code-assist]

Similar to the VPNCMD_SERVER processing, the logic for VPNCMD_HUB is flawed. It only executes the first command in a semicolon-separated list, silently ignoring subsequent commands. This critical vulnerability could lead to security configurations being partially applied. To ensure all commands are executed, you must iterate over all elements of the array.

Suggested change

	while IFS=";" read -r -a CMD; do
	set -f
	vpncmd_hub $CMD
	set +f
	done <<<"$VPNCMD_HUB"
	while IFS=";" read -r -a CMDS; do
	for CMD in "${CMDS[@]}"; do
	set -f
	vpncmd_hub $CMD
	set +f
	done
	done <<<"$VPNCMD_HUB"