Do not use expanding double quotes in trap handler actions

Ce produit n'est pas pris en charge par le site Datadog que vous avez sélectionné. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

ID: bash-security/premature-expansion-in-trap

Language: Bash

Severity: Warning

Category: Security

CWE: 116

Related CWEs:

Description

The trap builtin stores an action to run later. If that action is a double-quoted string, a parameter expansion, command substitution, and an arithmetic expansion run when trap is executed, not when the signal arrives. Values can be empty, stale, or wrong at exit time.

As an alternative, use a single-quoted handler so the shell parses expansions when the trap runs, not at registration. For example, it is better to use trap 'rm -f "$tmp"' EXIT instead of trap "rm -f $tmp" EXIT, and trap 'echo finished at $(date)' EXIT instead of trap "echo finished at $(date)" EXIT. If you need a literal dollar sign in the registered text, escape it inside double quotes (for example, trap "rm -f \$tmp" EXIT) or use single quotes and a different quoting strategy for the path.

Non-Compliant Code Examples

#!/bin/bash
trap "rm -f $tmp" EXIT
trap "echo ${HOME}" EXIT
trap "echo $(date)" EXIT
trap "v=$((1+1))" EXIT

Compliant Code Examples

#!/bin/bash
trap 'rm -f "$tmp"' EXIT
trap "literal only" EXIT
trap "rm -f \$tmp" EXIT
trap -p
trap cleanup INT TERM
trap /usr/local/bin/cleanup EXIT
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Intégrations fluides. Essayez Datadog Code Security

Datadog Code Security