entrypoint.sh line 19 uses su -c with unquoted $* to drop privileges:
exec su -m pentest -c "exec $*"
This has two problems:
$* inside double quotes joins all arguments as a single string separated by $IFS. Arguments containing spaces or special characters are not handled correctly.
su is called from a root shell that first runs userdel, groupadd, useradd, and chown. Any vulnerability in the container between process start and the exec su line executes as root.
Steps to reproduce:
Run the Shannon worker container passing an argument with spaces.
Observe incorrect argument handling due to $* expansion.
Actual behaviour:
Arguments with spaces are split incorrectly. The container also runs as root longer than necessary before dropping to the pentest user.
Debugging details: N/A - static analysis finding
Additional context:
Suggested fix - use gosu:
- Dockerfile: add gosu during image build
apk add --no-cache gosu # or equivalent for Wolfi/Chainguard
exec gosu pentest "$@"
gosu performs a clean exec without an intermediate shell, preserves argument quoting correctly, and is the standard approach for privilege.
entrypoint.sh line 19 uses su -c with unquoted $* to drop privileges:
exec su -m pentest -c "exec $*"
This has two problems:
Steps to reproduce:
Actual behaviour:
Arguments with spaces are split incorrectly. The container also runs as root longer than necessary before dropping to the pentest user.
Debugging details: N/A - static analysis finding
Additional context:
Suggested fix - use gosu:
apk add --no-cache gosu # or equivalent for Wolfi/Chainguardexec gosu pentest "$@"gosu performs a clean exec without an intermediate shell, preserves argument quoting correctly, and is the standard approach for privilege.