From 52b5c042ecfa1885308d0b7481175a93cd4c099c Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Tue, 13 Jan 2026 10:23:40 +0000
Subject: [PATCH] Fix insecure shell variable handling and command loop logic
 in entrypoint.sh

- Quote variables in `adduser` to prevent password truncation if spaces are present.
- Fix logic error in `VPNCMD_*` processing where only the first command was executed.
- Quote `$CONFIG` path usage.
- Add `.jules/sentinel.md` journal entry.
---
 .jules/sentinel.md      |  4 ++++
 copyables/entrypoint.sh | 16 +++++++++-------
 2 files changed, 13 insertions(+), 7 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..0c889b9
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-05-23 - [Variable Quoting in Shell Scripts]
+**Vulnerability:** Unquoted variable expansion in `entrypoint.sh` caused passwords with spaces to be truncated when passed to the `adduser` function.
+**Learning:** Shell word splitting can silently corrupt data integrity, specifically credentials, leading to weaker passwords than intended. This is often overlooked in "simple" wrapper scripts.
+**Prevention:** Always quote variable expansions (`"$var"`) unless word splitting is explicitly required and understood. Use tools like `checkbashisms` or `shellcheck` (though not available here) to detect these issues.
diff --git a/copyables/entrypoint.sh b/copyables/entrypoint.sh
index 0d224a0..4406a56 100644
--- a/copyables/entrypoint.sh
+++ b/copyables/entrypoint.sh
@@ -25,7 +25,7 @@ set -e
 
 CONFIG=/var/lib/softether/vpn_server.config
 
-if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
+if [ ! -f "$CONFIG" ] || [ ! -s "$CONFIG" ]; then
   # Generate a random PSK if not provided
   : ${PSK:=$(cat /dev/urandom | tr -dc 'A-Za-z0-9' | fold -w 20 | head -n 1)}
 
@@ -142,11 +142,11 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
       for i in "${USER[@]}"; do
         IFS=':' read username password <<<"$i"
         # echo "Creating user: ${username}"
-        adduser $username $password
+        adduser "$username" "$password"
       done
     done <<<"$USERS"
   else
-    adduser $USERNAME $PASSWORD
+    adduser "$USERNAME" "$PASSWORD"
   fi
 
   echo
@@ -156,15 +156,17 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
 
   # handle VPNCMD_* commands right before setting admin passwords
   if [[ $VPNCMD_SERVER ]]; then
-    while IFS=";" read -ra CMD; do
+    IFS=";" read -ra COMMANDS <<<"$VPNCMD_SERVER"
+    for CMD in "${COMMANDS[@]}"; do
       vpncmd_server $CMD
-    done <<<"$VPNCMD_SERVER"
+    done
   fi
 
   if [[ $VPNCMD_HUB ]]; then
-    while IFS=";" read -ra CMD; do
+    IFS=";" read -ra COMMANDS <<<"$VPNCMD_HUB"
+    for CMD in "${COMMANDS[@]}"; do
       vpncmd_hub $CMD
-    done <<<"$VPNCMD_HUB"
+    done
   fi
 
   # set password for hub