From c8037984f9084f26a42f904c6a2670f12c952be1 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 28 Jan 2026 10:34:10 +0000
Subject: [PATCH] shield: harden entrypoint.sh with quoting and logic fixes

Co-authored-by: bluPhy <11618798+bluPhy@users.noreply.github.com>
---
 .jules/sentinel.md      |  6 ++++++
 copyables/entrypoint.sh | 24 ++++++++++++++----------
 2 files changed, 20 insertions(+), 10 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..d8b82a1
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,6 @@
+# Sentinel's Security Journal
+
+## 2025-02-18 - Shell Script Variable Expansion & Read Pitfalls
+**Vulnerability:** Shell script variable expansion and input reading logic flaws.
+**Learning:** `read` without `-r` interprets backslashes, leading to data corruption (e.g., in passwords). Unquoted array expansion coupled with logic errors can result in incomplete execution of commands (only first command executed in a list).
+**Prevention:** Always use `read -r`. Always quote variables. When iterating over lists in shell, verify loop logic and array expansion behavior.
diff --git a/copyables/entrypoint.sh b/copyables/entrypoint.sh
index 0d224a0..a5cfaa4 100644
--- a/copyables/entrypoint.sh
+++ b/copyables/entrypoint.sh
@@ -25,7 +25,7 @@ set -e
 
 CONFIG=/var/lib/softether/vpn_server.config
 
-if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
+if [ ! -f "$CONFIG" ] || [ ! -s "$CONFIG" ]; then
   # Generate a random PSK if not provided
   : ${PSK:=$(cat /dev/urandom | tr -dc 'A-Za-z0-9' | fold -w 20 | head -n 1)}
 
@@ -138,15 +138,15 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
   printf '# Creating user(s):'
 
   if [[ $USERS ]]; then
-    while IFS=';' read -ra USER; do
+    while IFS=';' read -r -a USER; do
       for i in "${USER[@]}"; do
-        IFS=':' read username password <<<"$i"
+        IFS=':' read -r username password <<<"$i"
         # echo "Creating user: ${username}"
-        adduser $username $password
+        adduser "$username" "$password"
       done
     done <<<"$USERS"
   else
-    adduser $USERNAME $PASSWORD
+    adduser "$USERNAME" "$PASSWORD"
   fi
 
   echo
@@ -156,14 +156,18 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
 
   # handle VPNCMD_* commands right before setting admin passwords
   if [[ $VPNCMD_SERVER ]]; then
-    while IFS=";" read -ra CMD; do
-      vpncmd_server $CMD
+    while IFS=";" read -r -a CMDS; do
+      for cmd in "${CMDS[@]}"; do
+        vpncmd_server $cmd
+      done
     done <<<"$VPNCMD_SERVER"
   fi
 
   if [[ $VPNCMD_HUB ]]; then
-    while IFS=";" read -ra CMD; do
-      vpncmd_hub $CMD
+    while IFS=";" read -r -a CMDS; do
+      for cmd in "${CMDS[@]}"; do
+        vpncmd_hub $cmd
+      done
     done <<<"$VPNCMD_HUB"
   fi
 
@@ -191,7 +195,7 @@ else
 fi
 
 if [[ -d "/opt/scripts/" ]]; then
-  while read _script; do
+  while read -r _script; do
     echo >&2 ":: executing $_script..."
     bash -n "$_script" &&
       bash "$_script"