Avoid eval, shell-injection via JAVA_OPTS or JENKINS_OPTS
The intent of using eval when processing JAVA_OPTS or JENKINS_OPTS is to allow arguments with spaces to be passed through and parsed without the bugs given in [BashFAQ #50](http://mywiki.wooledge.org/BashFAQ/050). By using `eval`, however, the issues discussed in [BashFAQ #48](http://mywiki.wooledge.org/BashFAQ/048) are introduced.
Strings containing whitespace can be safely processed with `xargs`, which -- when not used with the non-POSIX extensions `-0` or `-d` -- follows shell quoting conventions in splitting its input stream into arguments.
diff --git a/jenkins.sh b/jenkins.sh
index 206e069..c8ad80f 100755
--- a/jenkins.sh
+++ b/jenkins.sh
@@ -7,7 +7,19 @@
# if `docker run` first argument start with `--` the user is passing jenkins launcher arguments
if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then
- eval "exec java $JAVA_OPTS -jar /usr/share/jenkins/jenkins.war $JENKINS_OPTS \"\$@\""
+
+ # read JAVA_OPTS and JENKINS_OPTS into arrays to avoid need for eval (and associated vulnerabilities)
+ java_opts_array=()
+ while IFS= read -r -d '' item; do
+ java_opts_array+=( "$item" )
+ done < <(xargs printf '%s\0' <<<"$JAVA_OPTS")
+
+ jenkins_opts_array=( )
+ while IFS= read -r -d '' item; do
+ jenkins_opts_array+=( "$item" )
+ done < <(xargs printf '%s\0' <<<"$JENKINS_OPTS")
+
+ exec java "${java_opts_array[@]}" -jar /usr/share/jenkins/jenkins.war "${jenkins_opts_array[@]}" "$@"
fi
# As argument is not jenkins, assume user want to run his own process, for sample a `bash` shell to explore this image