🛡️ Sentinel: [HIGH] Fix shell quoting and command processing vulnerabilities

[bluPhy]

🛡️ Sentinel: [HIGH] Fix shell quoting and command processing vulnerabilities

🚨 Severity: HIGH
💡 Vulnerability:

1. Unquoted variables in adduser loop caused password truncation if passwords contained spaces or glob characters.
2. read without -r flag interpreted backslashes in passwords and commands, causing data corruption.
3. Logic error in VPNCMD_* environment variable processing caused only the first command to be executed.
4. Unprotected expansion of VPNCMD_* commands allowed shell globbing (wildcard expansion), potentially altering arguments unpredictably.

🎯 Impact:

• Users attempting to set strong passwords with spaces would have them silently truncated to the first word, leading to weak authentication.
• Backslashes in passwords would be stripped or altered.
• Security configurations passed via VPNCMD_SERVER (e.g., disabling logs after enabling cipher) might fail silently if passed as multiple commands.
• Unexpected file globbing could interfere with command arguments.

🔧 Fix:

• Quoted $username and $password in adduser calls.
• Added -r to all read commands.
• Refactored VPNCMD_* loops to correctly iterate over all semicolon-separated commands.
• Wrapped dynamic command execution in set -f / set +f to disable globbing while preserving argument splitting.

✅ Verification:

• Verified syntax with bash -n.
• Verified logic with reproduction scripts demonstrating that spaces in passwords are preserved and multiple commands are executed without globbing side effects.

---

PR created automatically by Jules for task 12595697505069078969 started by @bluPhy

Summary by CodeRabbit

• Documentation

  • Added guidance on Bash scripting security best practices, covering input handling and variable quoting.

• Bug Fixes

  • Hardened shell script input parsing to prevent word splitting and glob expansion vulnerabilities.
  • Improved user creation and command processing with proper quoting and controlled expansion.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

Walkthrough

A documentation file detailing Bash scripting vulnerabilities is added, and an entrypoint script is refactored to improve input parsing security. Changes include using quoted variables, the -r flag for read, array-based iteration with controlled file globbing, and explicit quoting when invoking commands to prevent word-splitting and glob expansion issues.

Changes

Cohort / File(s)	Summary
Security Documentation .jules/sentinel.md	New documentation outlining Bash vulnerabilities related to unquoted variables in loops, including word-splitting, glob expansion, and backslash interpretation issues. Details correct quoting practices and input handling recommendations.
Script Security Improvements copyables/entrypoint.sh	Refactored user creation and VPNCMD handling: user parsing now uses read -r with quoted variable expansion; VPNCMD blocks switch from while-read loops to array-based iteration with controlled globbing (set -f/set +f), improving robustness against spaces and escape sequences.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Through shell scripts I hop with careful delight,
With quotes wrapped around variables, everything's tight!
No word-splitting tricks, no globbing gone wild—
Read with the -r flag keeps the script safe and mild! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: fixing shell quoting and command processing vulnerabilities. It accurately reflects the primary objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sentinel/fix-shell-vulnerabilities-12595697505069078969

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @bluPhy, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses several high-severity shell scripting vulnerabilities within the Sentinel system's initialization process. The changes ensure robust handling of user inputs, particularly passwords, and correct execution of administrative commands, significantly improving the system's security posture and operational reliability by preventing data corruption and unintended command behavior.

Highlights

• Shell Quoting in adduser: Ensured proper quoting of "$username" and "$password" variables in adduser calls to prevent truncation or corruption when passwords contain spaces or glob characters.
• read -r Usage: Implemented the -r flag in all read commands to prevent backslashes in input (like passwords) from being interpreted, thus avoiding data corruption.
• VPNCMD_ Command Processing*: Refactored the logic for VPNCMD_SERVER and VPNCMD_HUB environment variables to correctly parse and execute all semicolon-separated commands, fixing a bug where only the first command was processed.
• Globbing Prevention: Wrapped dynamic command execution for VPNCMD_* variables with set -f and set +f to temporarily disable shell globbing, preventing unpredictable argument alterations.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request effectively addresses several critical security vulnerabilities related to shell quoting and command processing in entrypoint.sh. The fixes for unquoted variables in adduser, using read -r, and correcting the command processing loop logic are well-implemented. However, the new implementation for handling VPNCMD_* commands, while correctly preventing globbing, introduces a flaw where command arguments containing spaces will be parsed incorrectly. I've provided suggestions to use xargs for robust, quote-aware parsing of these command strings, which is safer than using eval.

[gemini-code-assist]

While set -f correctly prevents globbing, the unquoted expansion of $cmd performs word splitting that doesn't respect quotes within the command string. This will cause arguments containing spaces to be split incorrectly. For example, a command like UserSetPassword user "new password" would be broken. Using xargs can parse the command string correctly and handle quoted arguments, providing a safer alternative to eval.

Suggested change

	for cmd in "${CMDS[@]}"; do
	vpncmd_server $cmd
	done
	for cmd in "${CMDS[@]}"; do
	# Use xargs to correctly parse the command string, respecting quoted arguments.
	# This is safer than `eval` as it doesn't perform command substitution.
	# The vpncmd_server function is inlined here to be callable from xargs.
	echo "$cmd" | xargs --no-run-if-empty /usr/local/bin/vpncmd localhost /SERVER /CSV /CMD
	done

[gemini-code-assist]

Similar to the VPNCMD_SERVER loop, the unquoted expansion of $cmd here will incorrectly split arguments that contain spaces. Using xargs provides a robust way to parse the command string while respecting quotes.

Suggested change

	for cmd in "${CMDS[@]}"; do
	vpncmd_hub $cmd
	done
	for cmd in "${CMDS[@]}"; do
	# Use xargs to correctly parse the command string, respecting quoted arguments.
	# This is safer than `eval` as it doesn't perform command substitution.
	# The vpncmd_hub function is inlined here to be callable from xargs.
	echo "$cmd" | xargs --no-run-if-empty /usr/local/bin/vpncmd localhost /SERVER /CSV /HUB:DEFAULT /CMD
	done

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@copyables/entrypoint.sh`:
- Around line 159-164: The loop that splits VPNCMD_SERVER into CMDS uses IFS=";"
read -ra CMDS <<<"$VPNCMD_SERVER" which omits the -r flag and thus allows
backslashes to be processed as escape sequences; update the read usage (both
here and in the similar block handling VPNCMD_* arrays) to use read -r -a (e.g.,
read -r -a CMDS) so backslashes are preserved in command arguments passed to
vpncmd_server, leaving IFS and the rest of the loop intact.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, locate and read the entrypoint.sh file
find . -name "entrypoint.sh" -type f | head -20

Repository: bluPhy/docker-softether

Length of output: 92

---

🏁 Script executed:

# If found, let's read the relevant lines from the file
# Read around lines 159-164 and 168-173
if [ -f "copyables/entrypoint.sh" ]; then
  echo "=== Lines 155-175 of copyables/entrypoint.sh ==="
  sed -n '155,175p' copyables/entrypoint.sh | cat -n
fi

Repository: bluPhy/docker-softether

Length of output: 687

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
VPNCMD_SERVER='CmdA /ARG:pa\\ss;CmdB'
echo "Testing read behavior with and without -r flag:"
echo "Input: $VPNCMD_SERVER"
echo ""

IFS=";" read -a CMDS <<<"$VPNCMD_SERVER"
printf 'without -r: %q\n' "${CMDS[@]}"

IFS=";" read -r -a CMDS <<<"$VPNCMD_SERVER"
printf 'with -r: %q\n' "${CMDS[@]}"

Repository: bluPhy/docker-softether

Length of output: 234

---

Add -r to VPNCMD array reads to preserve backslashes in command arguments.

Lines 160 and 169 use read -a without -r, causing backslashes in VPNCMD_* commands to be interpreted as escape sequences. Without the -r flag, double backslashes are consumed and become single backslashes, which alters the intended command arguments.

Proposed fix

-    IFS=";" read -ra CMDS <<<"$VPNCMD_SERVER"
+    IFS=";" read -r -a CMDS <<<"$VPNCMD_SERVER"

-    IFS=";" read -ra CMDS <<<"$VPNCMD_HUB"
+    IFS=";" read -r -a CMDS <<<"$VPNCMD_HUB"

Also applies to: 168-173

🤖 Prompt for AI Agents

In `@copyables/entrypoint.sh` around lines 159 - 164, The loop that splits
VPNCMD_SERVER into CMDS uses IFS=";" read -ra CMDS <<<"$VPNCMD_SERVER" which
omits the -r flag and thus allows backslashes to be processed as escape
sequences; update the read usage (both here and in the similar block handling
VPNCMD_* arrays) to use read -r -a (e.g., read -r -a CMDS) so backslashes are
preserved in command arguments passed to vpncmd_server, leaving IFS and the rest
of the loop intact.