“--“ doesn’t work on all versions of getent.
A better fix is to call “getent passwd” with no user controlled arguments and then parse the resulting list. This gets rid of the input sanitization problem entirely.
Are there any actual systems that can run Tailscale and that have faulty getent?
Are there any actual systems that can run Tailscale and that have faulty getent?