---
title: Prefer parameter expansion over echo-to-sed for text replacements
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Prefer parameter expansion over echo-to-sed for text replacements
---

# Prefer parameter expansion over echo-to-sed for text replacements

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `bash-security/avoid-echo-to-sed-pipeline`

**Language:** Bash

**Severity:** Notice

**Category:** Security

**CWE**: [116](https://cwe.mitre.org/data/definitions/116.html)

**Related CWEs**:

- [117](https://cwe.mitre.org/data/definitions/117.html)
- [838](https://cwe.mitre.org/data/definitions/838.html)

## Description{% #description %}

Feeding shell-expanded text into `sed` through an `echo` pipeline adds another program and more quoting and parsing steps than doing the same work in the shell alone, which increases the risk of mistakes and injection vulnerabilities (CWE-116). When the change is essentially string substitution, Bash parameter expansion (`${var/pat/repl}`, `${var//pat/repl}`, `${var/#pat/repl}`, `${var/%pat/repl}`) is often more readable and less error-prone.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```bash
#!/bin/bash
echo "$var" | sed 's/foo/bar/g'
echo ${x} | /usr/bin/sed -e 's/1/2/'
```

## Compliant Code Examples{% #compliant-code-examples %}

```bash
#!/bin/bash
echo hello | sed -n '1p'
echo 'literal' | sed 's/a/b/'
out="${var//foo/bar}"
printf '%s\n' "$x" | sed 's/a/b/'
echo "$var" | sed 's/(foo)/bar/'
echo "$x" | sed 's/a/b/;s/c/d/'
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}