Metadata

ID: bash-security/dont-execute-command-substitution-output

Language: Bash

Severity: Error

Category: Security

CWE: 78

Description

When the command name is $(...), the shell runs the inner command, captures its output, and then tries to execute that text as another command. That is usually a mistake and can amount to running arbitrary text (CWE-78).

Prefer running the inner command directly; for example, use if which foo; then instead of if $(which foo); then. If you mean to run generated shell code, use eval with a quoted string and careful escaping.

Non-Compliant Code Examples

#!/bin/bash
$(printf 'hello' 'world')
if $(which true); then echo bad; fi

Compliant Code Examples

#!/bin/bash
echo "$(date)"
if which true; then :; fi
output=$(printf '%s\n' "hello")
eval "$(printf 'echo ok\n')"

Seamless integrations. Try Datadog Code Security

Datadog Code Security