Metadata

ID: bash-security/double-quote-variable-expansions

Language: Bash

Severity: Warning

Category: Security

CWE: 88

Description

Unquoted variable expansions like $var or $1 undergo word splitting and glob expansion before the command receives them. An argument containing spaces becomes multiple arguments, and patterns like * expand to matching filenames.

Quoting as "$var" prevents this. This rule may not apply if you intentionally want word splitting or glob expansion, for example when building a dynamic argument list.

Non-Compliant Code Examples

#!/bin/bash
echo $1
echo $var
cp $HOME/file destination/
for i in $*; do :; done 
for i in $@; do :; done
cp $@ ~/dir
cmd ${files[@]}
mv ${arr[*]} ~/dir
rm ${HOME}
rm ${var:-default}
ls ${file%.txt}

Compliant Code Examples

#!/bin/bash
echo "$1"
echo "$var"
cp "$HOME/file" destination/
for i in "$@"; do :; done
cp "$@" ~/dir
cp "${files[@]}" ~/dir
mv "${arr[*]}" ~/dir
rm "${HOME}"
echo ${#var}

Seamless integrations. Try Datadog Code Security

Datadog Code Security