Metadata

ID: bash-security/double-quote-command-substitutions

Language: Bash

Severity: Warning

Category: Security

CWE: 88

Description

The output of $(...) or backticks is split on whitespace and treated as glob patterns unless it is quoted. That can turn one logical value into several arguments or unexpected filenames.

Wrap the substitution in double quotes: "$(...)". Single-quoted strings do not perform that expansion; use them only when you mean a literal, not when you want to run the inner command and use its output safely.

Non-Compliant Code Examples

#!/bin/bash
echo $(date)
cat $(which wc)
cp $(printf '%s' a) dest
echo pre$(date)suf

Compliant Code Examples

#!/bin/bash
echo "$(date)"
out=$(printf '%s' "ok")
eval "$(printf 'true\n')"
echo "x$(date)y"

Seamless integrations. Try Datadog Code Security

Datadog Code Security