---
title: Quote unset arguments that can undergo pathname expansion
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Quote unset arguments that can undergo pathname expansion
---

# Quote unset arguments that can undergo pathname expansion

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `bash-security/avoid-unquoted-unset`

**Language:** Bash

**Severity:** Warning

**Category:** Security

**CWE**: [88](https://cwe.mitre.org/data/definitions/88.html)

## Description{% #description %}

Arguments to `unset` are expanded like other words: unquoted `*`, `?`, and `[` can trigger pathname expansion, so a matching filename can replace the argument and unset the wrong name (CWE-88). That is especially easy to miss with array elements written as `unset arr[0]` or `unset foo[index]`, where `[` starts a glob character class.

Quote or use single-quoted words so the name reaches `unset` literally, for example `unset 'foo[index]'` or `unset 'arr[0]'` instead of the unquoted forms.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```bash
#!/bin/bash
unset *
unset foo[index]
unset arr[0]
unset ?
unset [a]
unset foo*
```

## Compliant Code Examples{% #compliant-code-examples %}

```bash
#!/bin/bash
unset foo
unset PATH
unset "$x"
unset 'foo[index]'
unset -v foo
unset -f myfunc
unset a$b
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}