From 011563996264f01840f6d6559ba5a314512d56e6 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Thu, 29 Jan 2026 10:27:36 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[HIGH]=20Fi?=
 =?UTF-8?q?x=20shell=20quoting=20and=20command=20processing=20vulnerabilit?=
 =?UTF-8?q?ies?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Fix password truncation by quoting variables in adduser
- Prevent backslash interpretation with read -r
- Fix logic error to execute all VPNCMD_* commands
- Disable globbing during command processing to prevent injection

Co-authored-by: bluPhy <11618798+bluPhy@users.noreply.github.com>
---
 .jules/sentinel.md      |  4 ++++
 copyables/entrypoint.sh | 24 +++++++++++++++---------
 2 files changed, 19 insertions(+), 9 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..a26a8a6
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2025-05-23 - Shell Script Variable Quoting and Globbing
+**Vulnerability:** Found unquoted variables in `adduser` loop allowing password truncation/corruption (spaces/globs), and `VPNCMD_*` command processing vulnerable to glob injection and logic error (ignoring subsequent commands).
+**Learning:** In bash, unquoted variables are subject to word splitting and glob expansion. `read` without `-r` interprets backslashes. Loops over `read` output need careful logic to ensure all input is processed.
+**Prevention:** Always quote variables (`"$var"`) unless word splitting is explicitly intended. Use `read -r`. Use `set -f` when relying on word splitting but wanting to avoid globbing. Verify loop logic for multi-line/delimiter processing.
diff --git a/copyables/entrypoint.sh b/copyables/entrypoint.sh
index 0d224a0..7eb0393 100644
--- a/copyables/entrypoint.sh
+++ b/copyables/entrypoint.sh
@@ -140,13 +140,13 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
   if [[ $USERS ]]; then
     while IFS=';' read -ra USER; do
       for i in "${USER[@]}"; do
-        IFS=':' read username password <<<"$i"
+        IFS=':' read -r username password <<<"$i"
         # echo "Creating user: ${username}"
-        adduser $username $password
+        adduser "$username" "$password"
       done
     done <<<"$USERS"
   else
-    adduser $USERNAME $PASSWORD
+    adduser "$USERNAME" "$PASSWORD"
   fi
 
   echo
@@ -156,15 +156,21 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
 
   # handle VPNCMD_* commands right before setting admin passwords
   if [[ $VPNCMD_SERVER ]]; then
-    while IFS=";" read -ra CMD; do
-      vpncmd_server $CMD
-    done <<<"$VPNCMD_SERVER"
+    set -f
+    IFS=";" read -ra CMDS <<<"$VPNCMD_SERVER"
+    for cmd in "${CMDS[@]}"; do
+      vpncmd_server $cmd
+    done
+    set +f
   fi
 
   if [[ $VPNCMD_HUB ]]; then
-    while IFS=";" read -ra CMD; do
-      vpncmd_hub $CMD
-    done <<<"$VPNCMD_HUB"
+    set -f
+    IFS=";" read -ra CMDS <<<"$VPNCMD_HUB"
+    for cmd in "${CMDS[@]}"; do
+      vpncmd_hub $cmd
+    done
+    set +f
   fi
 
   # set password for hub