Possible shebang attack with more than one parameter

The shebang was introduced by Dennis Ritchie between Edition 7 and 8 at Bell Laboratories. It was also added to the BSD releases from Berkeley's Computer Science Research (present at 2.8BSD[24] and activated by default by 4.2BSD). As AT&T Bell Laboratories Edition 8 Unix, and later editions, were not released to the public, the first widely known appearance of this feature was on BSD.

The lack of an interpreter directive, but support for shell scripts, is apparent in the documentation from Version 7 Unix in 1979,[25] which describes instead a facility of the Bourne shell where files with execute permission would be handled specially by the shell, which would (sometimes depending on initial characters in the script, such as ":" or "#") spawn a subshell which would interpret and run the commands contained in the file.

Rationale: Most operating systems, including POSIX, Linux and FreeBSD, allow only a single parameter in the shebang. The example is equivalent to calling env 'bash -x' instead of env 'bash' '-x', and it will therefore fail.

The shebang should be rewritten to use at most one parameter. Shell options can instead be set in the body of the script.

Exceptions: Mac OS currently allows multiple words in the shebang. In this case, you can ignore this issue.

Problematic code : #!/usr/bin/env sh -e

https://github.com/gitlabhq/blob/master/vendor/gems/attr_encrypted/test/run.sh#L1-L1

Possible fix: #!/usr/bin/env bash set -x