🛡️ Sentinel: [HIGH] Fix shell injection and unquoted variables

[bluPhy]

🚨 Severity: HIGH
💡 Vulnerability: Unquoted variables in entrypoint.sh allowed argument splitting and glob expansion.
🎯 Impact: Passwords with spaces were mishandled; wildcards could trigger unexpected file matching.
🔧 Fix: Applied proper quoting, read -r, and fixed printf usage. Also fixed paths in gencert.sh.
✅ Verification: Verified with reproduction script and syntax checks.

---

PR created automatically by Jules for task 16747109593899495064 started by @bluPhy

Summary by CodeRabbit

Release Notes

• Documentation

  • New security guidance document covering shell script injection vulnerabilities and prevention best practices.

• Bug Fixes

  • Strengthened shell script safety with improved variable quoting and argument handling.
  • Updated executable paths for VPN server components to correct system locations.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Walkthrough

This pull request addresses shell script injection risks through security documentation and code hardening. It introduces a vulnerability guide at .jules/sentinel.md, applies proper variable quoting and read flag improvements to entrypoint.sh, and updates executable paths in gencert.sh to use /usr/local/bin/ instead of /usr/bin/.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	New guide documenting Shell Script Injection risks, focusing on unquoted variable expansion, argument splitting, glob expansion, and prevention strategies.
Script Hardening copyables/entrypoint.sh	Applied defensive quoting around all variable expansions and filesystem checks. Updated read invocations to use -r flag. Ensured proper quoting of function arguments and command substitutions throughout user creation and VPN command handling.
Executable Path Updates copyables/gencert.sh	Updated vpnserver and vpncmd executable paths from /usr/bin/ to /usr/local/bin/ across server start, OpenVPN enable, and certificate retrieval commands.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 With whiskers raised and ears alert,
I've quoted vars to prevent hurt,
From injection's sneaky, curly way,
Our scripts are safer now—hip hooray! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: fixing shell injection vulnerabilities through proper quoting of variables.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sentinel/fix-shell-injection-16747109593899495064

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @bluPhy, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical high-severity shell injection vulnerability within the entrypoint.sh script by implementing secure coding practices such as proper variable quoting and safe input reading. These changes prevent malicious argument splitting and glob expansion, which could previously lead to mishandled passwords or unexpected command execution. Additionally, it corrects binary paths in gencert.sh for consistency and introduces documentation to educate on the vulnerability and its prevention, significantly enhancing the security and robustness of the system.

Highlights

• Shell Injection Prevention: Implemented robust shell quoting ("$VAR") in entrypoint.sh to prevent shell injection vulnerabilities arising from unquoted variables, which previously allowed argument splitting and glob expansion.
• Secure Input Reading: Adopted read -r in entrypoint.sh to disable backslash interpretation, enhancing security when processing user input and preventing unintended command execution.
• Format String Vulnerability Mitigation: Corrected printf usage in entrypoint.sh to printf " %s" "$1" to mitigate potential format string vulnerabilities when outputting variable content.
• Path Correction: Updated binary paths in gencert.sh from /usr/bin to /usr/local/bin for vpnserver and vpncmd, ensuring correct execution paths.
• Vulnerability Documentation: Added a new markdown document (.jules/sentinel.md) to detail the shell injection vulnerability, its impact, and best practices for prevention, serving as a learning resource.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .jules/sentinel.md
  • New file added documenting a shell script injection vulnerability.
  • Details the risks of unquoted variables, specifically argument splitting and glob expansion.
  • Provides prevention guidelines: always quote variables, use read -r, and printf " %s" "$VAR".
• copyables/entrypoint.sh
  • Variables like $CONFIG, $USERS, $PASSWORD, and $CMD are now consistently quoted (e.g., "$CONFIG") to prevent shell expansion issues.
  • read commands now use the -r option (e.g., read -r -a USER, read -r username password) to prevent backslash escapes from being interpreted.
  • printf statements for user-provided arguments are updated to printf " %s" "$1" to prevent format string vulnerabilities.
• copyables/gencert.sh
  • Updated all occurrences of /usr/bin/vpnserver and /usr/bin/vpncmd to /usr/local/bin/vpnserver and /usr/local/bin/vpncmd respectively, ensuring correct binary execution paths.

Activity

• This pull request was automatically generated by Jules for a task initiated by @bluPhy.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively addresses critical shell injection vulnerabilities by consistently quoting variables and using read -r in entrypoint.sh, which significantly enhances script security and updates paths in gencert.sh. While these changes prevent argument splitting and glob expansion, a regression has been introduced in the fix for processing custom VPN commands via the VPNCMD_SERVER and VPNCMD_HUB environment variables. This flaw causes only the first command in a list to be processed and fails if that command contains arguments, potentially preventing users from applying necessary security configurations.

[gemini-code-assist]

The fix for processing VPNCMD_SERVER commands is incorrect and introduces a regression.

1. Array Handling: CMD is an array created by read -a. In bash, "$CMD" only expands to the first element of the array ("${CMD[0]}").
2. Argument Splitting: By quoting "$CMD", the shell passes the entire command string (including arguments) as a single argument to the vpncmd_server function. Since vpncmd expects the command and its arguments as separate parameters, this will cause commands with arguments to fail.
3. Logic Error: The read -a command with IFS=";" splits the entire input string into the array. The while loop only executes once because read consumes the whole line. Since only the first element of the array is used, all subsequent commands in the semicolon-separated list are ignored.

This breaks the custom configuration functionality and can lead to a failure to apply important security settings.

Suggested change

	while IFS=";" read -r -a CMD; do
	vpncmd_server "$CMD"
	done <<<"$VPNCMD_SERVER"
	while IFS=";" read -r -a CMDS; do
	for cmd in "${CMDS[@]}"; do
	vpncmd_server $cmd
	done
	done <<<"$VPNCMD_SERVER"

[gemini-code-assist]

Same issue as with VPNCMD_SERVER. The current implementation only executes the first command and fails if it has arguments.

Suggested change

	while IFS=";" read -r -a CMD; do
	vpncmd_hub "$CMD"
	done <<<"$VPNCMD_HUB"
	while IFS=";" read -r -a CMDS; do
	for cmd in "${CMDS[@]}"; do
	vpncmd_hub $cmd
	done
	done <<<"$VPNCMD_HUB"

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@copyables/entrypoint.sh`:
- Around line 158-168: The loops reading VPNCMD_SERVER and VPNCMD_HUB currently
use read -a CMD but call vpncmd_server/vpncmd_hub with "$CMD" which expands to
only ${CMD[0]}; change each while-read block to iterate the array elements (use
"${CMD[@]}" or an inner for-loop) and call vpncmd_server or vpncmd_hub once per
element so every semicolon-separated command is executed (refer to
VPNCMD_SERVER, VPNCMD_HUB, the CMD array, and functions
vpncmd_server/vpncmd_hub).

🧹 Nitpick comments (3)

copyables/gencert.sh (1)

4-4: Redirect order 2>&1 >/dev/null does not suppress stderr.

The current order redirects stderr to the original stdout (the terminal) and then redirects stdout to /dev/null. So stderr still reaches the caller. If the intent is to silence both streams, the correct order is >/dev/null 2>&1. This pre-dates your change, but since you're touching these lines anyway it's worth fixing. The same pattern also appears in entrypoint.sh (lines 62, 68, 112, 178).

Proposed fix

-/usr/local/bin/vpnserver start 2>&1 >/dev/null
+/usr/local/bin/vpnserver start >/dev/null 2>&1

-    /usr/local/bin/vpncmd localhost /SERVER /CSV /CMD OpenVpnEnable yes /PORTS:1194 2>&1 >/dev/null
+    /usr/local/bin/vpncmd localhost /SERVER /CSV /CMD OpenVpnEnable yes /PORTS:1194 >/dev/null 2>&1

Also applies to: 10-10

copyables/entrypoint.sh (2)

62-62: Same 2>&1 >/dev/null redirect-order issue as in gencert.sh.

See the comment on gencert.sh — 2>&1 must come after >/dev/null to actually suppress stderr. All four lines here have the same problem.

Also applies to: 68-68, 112-112, 178-178

---

79-79: Several variable expansions on unchanged lines are still unquoted.

Given the PR's goal of fixing unquoted variables, these are worth addressing for consistency:

• Line 79: /PSK:${PSK} → /PSK:"${PSK}"
• Line 86: /MTU:$MTU → /MTU:"$MTU"
• Line 172: ${HPW} → "${HPW}"
• Line 176: ${SPW} → "${SPW}"

Passwords and secrets with special characters would still be vulnerable to word-splitting here.

Also applies to: 86-86, 172-172, 176-176

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Bug: "$CMD" only expands to the first array element — all commands after the first semicolon are silently dropped.

read -r -a CMD splits the input by IFS=";" into an array, but "$CMD" (without an index) is equivalent to "${CMD[0]}". This means only the first semicolon-separated command is executed; the rest are silently ignored. ShellCheck SC2128 flags this exact issue.

Compare with the USERS block (lines 141–146) which correctly uses an inner for loop to iterate all array elements. Apply the same pattern here:

Proposed fix

   if [[ "$VPNCMD_SERVER" ]]; then
     while IFS=";" read -r -a CMD; do
-      vpncmd_server "$CMD"
+      for c in "${CMD[@]}"; do
+        vpncmd_server "$c"
+      done
     done <<<"$VPNCMD_SERVER"
   fi
 
   if [[ "$VPNCMD_HUB" ]]; then
     while IFS=";" read -r -a CMD; do
-      vpncmd_hub "$CMD"
+      for c in "${CMD[@]}"; do
+        vpncmd_hub "$c"
+      done
     done <<<"$VPNCMD_HUB"
   fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if [[ "$VPNCMD_SERVER" ]]; then
	while IFS=";" read -r -a CMD; do
	vpncmd_server "$CMD"
	done <<<"$VPNCMD_SERVER"
	fi
	if [[ $VPNCMD_HUB ]]; then
	while IFS=";" read -ra CMD; do
	vpncmd_hub $CMD
	if [[ "$VPNCMD_HUB" ]]; then
	while IFS=";" read -r -a CMD; do
	vpncmd_hub "$CMD"
	done <<<"$VPNCMD_HUB"
	fi
	if [[ "$VPNCMD_SERVER" ]]; then
	while IFS=";" read -r -a CMD; do
	for c in "${CMD[@]}"; do
	vpncmd_server "$c"
	done
	done <<<"$VPNCMD_SERVER"
	fi
	if [[ "$VPNCMD_HUB" ]]; then
	while IFS=";" read -r -a CMD; do
	for c in "${CMD[@]}"; do
	vpncmd_hub "$c"
	done
	done <<<"$VPNCMD_HUB"
	fi

🧰 Tools

🪛 Shellcheck (0.11.0)

[warning] 160-160: Expanding an array without an index only gives the first element.

(SC2128)

---

[warning] 166-166: Expanding an array without an index only gives the first element.

(SC2128)

🤖 Prompt for AI Agents

In `@copyables/entrypoint.sh` around lines 158 - 168, The loops reading
VPNCMD_SERVER and VPNCMD_HUB currently use read -a CMD but call
vpncmd_server/vpncmd_hub with "$CMD" which expands to only ${CMD[0]}; change
each while-read block to iterate the array elements (use "${CMD[@]}" or an inner
for-loop) and call vpncmd_server or vpncmd_hub once per element so every
semicolon-separated command is executed (refer to VPNCMD_SERVER, VPNCMD_HUB, the
CMD array, and functions vpncmd_server/vpncmd_hub).