🛡️ Sentinel: [HIGH] Fix variable expansion and globbing vulnerabilities in entrypoint.sh #22
Conversation
- Quote variables in `adduser` calls to prevent word splitting and globbing of passwords. - Use `read -r` to prevent backslash interpretation in usernames and passwords. - Disable globbing (`set -f`) when executing dynamic commands from `VPNCMD_*` environment variables to prevent unintended file expansion. This fixes potential issues where passwords containing spaces would be truncated, and passwords containing special characters (like `*` or `\`) would be mishandled or trigger globbing.
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
Important Review skippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Comment |
This PR addresses several security and correctness issues in
copyables/entrypoint.sh:adduser $username $passwordwas unquoted. If a password contained spaces (e.g., "pass word"), it would be split into multiple arguments, causing only the first part ("pass") to be used as the password. If it contained glob characters (e.g., "pass*"), it could expand to filenames in the current directory.readwithout-r: Thereadcommand was used without-rto parse usernames and passwords. This meant that backslashes in passwords (e.g., "pass\word") would be interpreted as escape characters, altering the password.VPNCMD_SERVERandVPNCMD_HUBexecuted commands directly from the variable. While word splitting is intended here to parse arguments, globbing was not disabled. A command string containing*could expand to filenames. The fix wraps these executions withset -f(disable globbing) andset +f(re-enable globbing).Verified with a reproduction script that confirmed the vulnerability and the fix.
PR created automatically by Jules for task 5427467274303638451 started by @bluPhy