For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/bash-security/avoid-echo-to-sed-pipeline.md. A documentation index is available at /llms.txt.

Prefer parameter expansion over echo-to-sed for text replacements

This product is not supported for your selected Datadog site. ().

Metadata

ID: bash-security/avoid-echo-to-sed-pipeline

Language: Bash

Severity: Notice

Category: Security

CWE: 116

Related CWEs:

Description

Feeding shell-expanded text into sed through an echo pipeline adds another program and more quoting and parsing steps than doing the same work in the shell alone, which increases the risk of mistakes and injection vulnerabilities (CWE-116). When the change is essentially string substitution, Bash parameter expansion (${var/pat/repl}, ${var//pat/repl}, ${var/#pat/repl}, ${var/%pat/repl}) is often more readable and less error-prone.

Non-Compliant Code Examples

#!/bin/bash
echo "$var" | sed 's/foo/bar/g'
echo ${x} | /usr/bin/sed -e 's/1/2/'

Compliant Code Examples

#!/bin/bash
echo hello | sed -n '1p'
echo 'literal' | sed 's/a/b/'
out="${var//foo/bar}"
printf '%s\n' "$x" | sed 's/a/b/'
echo "$var" | sed 's/(foo)/bar/'
echo "$x" | sed 's/a/b/;s/c/d/'
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security