---
title: Double-quote command substitutions to avoid word splitting and globs
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Double-quote command substitutions to avoid word splitting and globs
---

# Double-quote command substitutions to avoid word splitting and globs

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `bash-security/double-quote-command-substitutions`

**Language:** Bash

**Severity:** Warning

**Category:** Security

**CWE**: [88](https://cwe.mitre.org/data/definitions/88.html)

## Description{% #description %}

The output of `$(...)` or backticks is split on whitespace and treated as glob patterns unless it is quoted. That can turn one logical value into several arguments or unexpected filenames.

Wrap the substitution in double quotes: `"$(...)"`. Single-quoted strings do not perform that expansion; use them only when you mean a literal, not when you want to run the inner command and use its output safely.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```bash
#!/bin/bash
echo $(date)
cat $(which wc)
cp $(printf '%s' a) dest
echo pre$(date)suf
```

## Compliant Code Examples{% #compliant-code-examples %}

```bash
#!/bin/bash
echo "$(date)"
out=$(printf '%s' "ok")
eval "$(printf 'true\n')"
echo "x$(date)y"
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}