---
title: Do not execute command substitution output as a command
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Do not execute command substitution output as a command
---

# Do not execute command substitution output as a command

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `bash-security/dont-execute-command-substitution-output`

**Language:** Bash

**Severity:** Error

**Category:** Security

**CWE**: [78](https://cwe.mitre.org/data/definitions/78.html)

## Description{% #description %}

When the command name is `$(...)`, the shell runs the inner command, captures its output, and then tries to execute that text as another command. That is usually a mistake and can amount to running arbitrary text (CWE-78).

Prefer running the inner command directly; for example, use `if which foo; then` instead of `if $(which foo); then`. If you mean to run generated shell code, use `eval` with a quoted string and careful escaping.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```bash
#!/bin/bash
$(printf 'hello' 'world')
if $(which true); then echo bad; fi
```

## Compliant Code Examples{% #compliant-code-examples %}

```bash
#!/bin/bash
echo "$(date)"
if which true; then :; fi
output=$(printf '%s\n' "hello")
eval "$(printf 'echo ok\n')"
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}