Skip to content

πŸ›‘οΈ Sentinel: [HIGH] Fix shell quoting and command processing vulnerabilities #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bluPhy wants to merge 1 commit into
base: master
Choose a base branch
from
Open

πŸ›‘οΈ Sentinel: [HIGH] Fix shell quoting and command processing vulnerabilities #31

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
## 2025-05-23 - Shell Script Variable Quoting and Globbing
**Vulnerability:** Found unquoted variables in `adduser` loop allowing password truncation/corruption (spaces/globs), and `VPNCMD_*` command processing vulnerable to glob injection and logic error (ignoring subsequent commands).
**Learning:** In bash, unquoted variables are subject to word splitting and glob expansion. `read` without `-r` interprets backslashes. Loops over `read` output need careful logic to ensure all input is processed.
**Prevention:** Always quote variables (`"$var"`) unless word splitting is explicitly intended. Use `read -r`. Use `set -f` when relying on word splitting but wanting to avoid globbing. Verify loop logic for multi-line/delimiter processing.
24 changes: 15 additions & 9 deletions copyables/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,13 +140,13 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
if [[ $USERS ]]; then
while IFS=';' read -ra USER; do
for i in "${USER[@]}"; do
IFS=':' read username password <<<"$i"
IFS=':' read -r username password <<<"$i"
# echo "Creating user: ${username}"
adduser $username $password
adduser "$username" "$password"
done
done <<<"$USERS"
else
adduser $USERNAME $PASSWORD
adduser "$USERNAME" "$PASSWORD"
fi

echo
Expand All @@ -156,15 +156,21 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then

# handle VPNCMD_* commands right before setting admin passwords
if [[ $VPNCMD_SERVER ]]; then
while IFS=";" read -ra CMD; do
vpncmd_server $CMD
done <<<"$VPNCMD_SERVER"
set -f
IFS=";" read -ra CMDS <<<"$VPNCMD_SERVER"
for cmd in "${CMDS[@]}"; do
vpncmd_server $cmd
done
Comment on lines +161 to +163
Copy link

@gemini-code-assist gemini-code-assist bot Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

While set -f correctly prevents globbing, the unquoted expansion of $cmd performs word splitting that doesn't respect quotes within the command string. This will cause arguments containing spaces to be split incorrectly. For example, a command like UserSetPassword user "new password" would be broken. Using xargs can parse the command string correctly and handle quoted arguments, providing a safer alternative to eval.

Suggested change
for cmd in "${CMDS[@]}"; do
vpncmd_server $cmd
done
for cmd in "${CMDS[@]}"; do
# Use xargs to correctly parse the command string, respecting quoted arguments.
# This is safer than `eval` as it doesn't perform command substitution.
# The vpncmd_server function is inlined here to be callable from xargs.
echo "$cmd" | xargs --no-run-if-empty /usr/local/bin/vpncmd localhost /SERVER /CSV /CMD
done

set +f
Comment on lines +159 to +164
Copy link

@coderabbitai coderabbitai bot Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, locate and read the entrypoint.sh file
find . -name "entrypoint.sh" -type f | head -20

Repository: bluPhy/docker-softether

Length of output: 92

🏁 Script executed:

# If found, let's read the relevant lines from the file
# Read around lines 159-164 and 168-173
if [ -f "copyables/entrypoint.sh" ]; then
  echo "=== Lines 155-175 of copyables/entrypoint.sh ==="
  sed -n '155,175p' copyables/entrypoint.sh | cat -n
fi

Repository: bluPhy/docker-softether

Length of output: 687

🏁 Script executed:

#!/bin/bash
set -euo pipefail
VPNCMD_SERVER='CmdA /ARG:pa\\ss;CmdB'
echo "Testing read behavior with and without -r flag:"
echo "Input: $VPNCMD_SERVER"
echo ""

IFS=";" read -a CMDS <<<"$VPNCMD_SERVER"
printf 'without -r: %q\n' "${CMDS[@]}"

IFS=";" read -r -a CMDS <<<"$VPNCMD_SERVER"
printf 'with -r: %q\n' "${CMDS[@]}"

Repository: bluPhy/docker-softether

Length of output: 234

Add -r to VPNCMD array reads to preserve backslashes in command arguments.

Lines 160 and 169 use read -a without -r, causing backslashes in VPNCMD_* commands to be interpreted as escape sequences. Without the -r flag, double backslashes are consumed and become single backslashes, which alters the intended command arguments.

Proposed fix 
-    IFS=";" read -ra CMDS <<<"$VPNCMD_SERVER"
+    IFS=";" read -r -a CMDS <<<"$VPNCMD_SERVER"
-    IFS=";" read -ra CMDS <<<"$VPNCMD_HUB"
+    IFS=";" read -r -a CMDS <<<"$VPNCMD_HUB"

Also applies to: 168-173

πŸ€– Prompt for AI Agents 
In `@copyables/entrypoint.sh` around lines 159 - 164, The loop that splits
VPNCMD_SERVER into CMDS uses IFS=";" read -ra CMDS <<<"$VPNCMD_SERVER" which
omits the -r flag and thus allows backslashes to be processed as escape
sequences; update the read usage (both here and in the similar block handling
VPNCMD_* arrays) to use read -r -a (e.g., read -r -a CMDS) so backslashes are
preserved in command arguments passed to vpncmd_server, leaving IFS and the rest
of the loop intact.

fi

if [[ $VPNCMD_HUB ]]; then
while IFS=";" read -ra CMD; do
vpncmd_hub $CMD
done <<<"$VPNCMD_HUB"
set -f
IFS=";" read -ra CMDS <<<"$VPNCMD_HUB"
for cmd in "${CMDS[@]}"; do
vpncmd_hub $cmd
done
Comment on lines +170 to +172
Copy link

@gemini-code-assist gemini-code-assist bot Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Similar to the VPNCMD_SERVER loop, the unquoted expansion of $cmd here will incorrectly split arguments that contain spaces. Using xargs provides a robust way to parse the command string while respecting quotes.

Suggested change
for cmd in "${CMDS[@]}"; do
vpncmd_hub $cmd
done
for cmd in "${CMDS[@]}"; do
# Use xargs to correctly parse the command string, respecting quoted arguments.
# This is safer than `eval` as it doesn't perform command substitution.
# The vpncmd_hub function is inlined here to be callable from xargs.
echo "$cmd" | xargs --no-run-if-empty /usr/local/bin/vpncmd localhost /SERVER /CSV /HUB:DEFAULT /CMD
done

set +f
fi

# set password for hub
Expand Down