🛡️ Sentinel: Fix shell injection and parsing vulnerabilities in entrypoint.sh

[bluPhy]

This PR hardens the copyables/entrypoint.sh script by fixing several shell scripting vulnerabilities.

Security Fixes:

1. Variable Quoting: Added double quotes around variables (e.g., "$PSK", "$USERNAME") to prevent accidental word splitting and file globbing.
2. Password Safety: Switched to read -r to prevent backslashes in passwords/usernames from being interpreted as escape characters.
3. Globbing Prevention: Implemented set -f (noglob) when processing dynamic commands from VPNCMD_SERVER and VPNCMD_HUB to safely split arguments without expanding wildcards.
4. Format String Protection: Changed printf " $1" to printf " %s" "$1" in the adduser function.

Bug Fixes:

• Fixed the loop logic for VPNCMD_SERVER and VPNCMD_HUB to correctly iterate over all semicolon-separated commands (previously only the first command was executed).

Verification:
A verification script was created and run to confirm:

• Passwords with spaces are preserved.
• * in passwords does not expand to filenames.
• Backslashes in passwords are preserved.
• Multiple commands in environment variables are executed sequentially.

---

PR created automatically by Jules for task 12604410747989356806 started by @bluPhy

Summary by CodeRabbit

• Documentation

  • Added comprehensive security guidance covering shell script injection patterns and mitigation strategies.

• Bug Fixes

  • Improved robustness of script handling for special characters and spaces in inputs.
  • Enhanced input parsing and variable quoting to prevent injection vulnerabilities.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[gemini-code-assist]

Summary of Changes

Hello @bluPhy, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly improves the security posture and reliability of the entrypoint.sh script. It systematically addresses common shell scripting vulnerabilities such as command injection, unintended word splitting, and globbing, while also correcting a functional issue that prevented multiple commands from executing as intended. These changes ensure that sensitive data is handled more securely and that script operations are robust against malicious input.

Highlights

• Enhanced Shell Script Security: Implemented comprehensive fixes to prevent shell injection, including proper variable quoting, safe read usage, and globbing prevention.
• Corrected Command Execution: Fixed a bug in entrypoint.sh that previously caused only the first command in semicolon-separated lists for VPNCMD_SERVER and VPNCMD_HUB to execute, now ensuring all commands run.
• Format String Vulnerability Patch: Addressed a potential format string vulnerability in the adduser function by using printf " %s" "$1".
• New Security Documentation: Added a .jules/sentinel.md file detailing the identified shell script injection patterns and their prevention methods.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .jules/sentinel.md
  • Added a new file documenting shell script injection patterns, detailing vulnerabilities related to unquoted variables, unsafe read usage, and providing prevention guidelines.
• copyables/entrypoint.sh
  • Applied double quotes to all variable expansions in if conditions, echo statements, and command arguments (e.g., CONFIG, USERNAME, PASSWORD, PSK, MTU, CERT, KEY, HPW, SPW) to prevent word splitting and globbing.
  • Modified the adduser function to use printf " %s" "$1" for safer output, mitigating format string vulnerabilities.
  • Refactored user creation logic for USERS environment variable to correctly parse semicolon-separated user:password pairs using IFS=';' read -ra and IFS=':' read -r, ensuring all users are added and backslashes in passwords are preserved.
  • Updated the processing of VPNCMD_SERVER and VPNCMD_HUB environment variables to correctly iterate and execute all semicolon-separated commands, wrapping each command execution with set -f and set +f to disable and re-enable globbing, respectively, preventing wildcard expansion.

Activity

• The pull request was automatically created by Jules for a task initiated by @bluPhy.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

Walkthrough

Introduces security guidance documentation for Shell Script Injection Patterns at .jules/sentinel.md and hardens the copyables/entrypoint.sh script by adding consistent variable quoting, array-based parsing, and safer command invocation practices to prevent injection vulnerabilities.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	New Markdown document detailing shell injection vulnerability patterns, learning notes about variable expansion pitfalls (unquoted variables, unsafe read, globbing), and four prevention mitigations: quoting expansions, using read -r, avoiding globbing with set -f, and preferring printf over echo for format safety.
Script Hardening copyables/entrypoint.sh	Hardens script with consistent quoting of variables (CONFIG, USERNAME, PASSWORD, PSK, MTU, CERT, KEY), filesystem test conditions, and echo/printf outputs. Refactors USERS, VPNCMD_SERVER, and VPNCMD_HUB parsing using IFS and arrays; quotes parameters in adduser and vpncmd function invocations; wraps vpncmd calls with set -f to prevent globbing; properly quotes password assignments for HPW and SPW.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

A rabbit hops through code so bright,
With quotes placed left and left right,
No injections shall pass today,
For variables are guarded well away! 🐰✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly addresses the main objective: fixing shell injection and parsing vulnerabilities in entrypoint.sh, which aligns with the security-focused changes documented in the objectives and file summaries.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sentinel-entrypoint-security-12604410747989356806

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request significantly hardens the entrypoint.sh script by addressing several shell injection and parsing vulnerabilities. The changes, including consistent variable quoting, use of read -r, format string protection in printf, and safe execution of dynamic commands with set -f, are excellent security improvements. The logic for processing multiple users and commands from environment variables has also been corrected and clarified. I've added a few suggestions to further improve the script's robustness by adding checks for empty values when parsing user and command lists, making it more resilient to malformed input.

[gemini-code-assist]

The loop processing $USERS is much improved, but it could be made more robust. If $USERS contains empty segments (e.g., user1:pass1;;user2:pass2) or a pair without a username (e.g., :password), the script will attempt to create a user with an empty username. It's good practice to validate that the username is not empty before proceeding to avoid potential errors.

Suggested change

	for pair in "${USER_PAIRS[@]}"; do
	# Split by colon into username and password
	IFS=':' read -r username password <<<"$pair"
	# echo "Creating user: ${username}"
	adduser $username $password
	done
	done <<<"$USERS"
	adduser "$username" "$password"
	done
	for pair in "${USER_PAIRS[@]}"; do
	# Split by colon into username and password
	IFS=':' read -r username password <<<"$pair"
	if [ -n "$username" ]; then
	adduser "$username" "$password"
	fi
	done

[gemini-code-assist]

This loop for processing $VPNCMD_SERVER commands could be more robust. If $VPNCMD_SERVER contains empty commands (e.g., cmd1;;cmd2), the loop will execute vpncmd_server with no arguments, which may lead to unexpected behavior. It's safer to skip empty commands.

Additionally, running the command in a subshell (...) is a cleaner way to temporarily disable globbing (set -f) without affecting the parent shell's state.

Suggested change

	for cmd in "${CMDS[@]}"; do
	set -f
	vpncmd_server $cmd
	set +f
	done
	for cmd in "${CMDS[@]}"; do
	if [ -n "$cmd" ]; then
	(set -f; vpncmd_server $cmd)
	fi
	done

[gemini-code-assist]

This loop for processing $VPNCMD_HUB commands has the same potential issue as the $VPNCMD_SERVER loop. If $VPNCMD_HUB contains empty commands, vpncmd_hub will be called without arguments. It's best to add a check to skip empty commands for robustness.

Using a subshell is also recommended here to temporarily disable globbing.

Suggested change

	for cmd in "${CMDS[@]}"; do
	set -f
	vpncmd_hub $cmd
	set +f
	done
	for cmd in "${CMDS[@]}"; do
	if [ -n "$cmd" ]; then
	(set -f; vpncmd_hub $cmd)
	fi
	done