---
title: Double quote to prevent globbing and word splitting
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Double quote to prevent globbing and word splitting
---

# Double quote to prevent globbing and word splitting

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `bash-security/double-quote-variable-expansions`

**Language:** Bash

**Severity:** Warning

**Category:** Security

**CWE**: [88](https://cwe.mitre.org/data/definitions/88.html)

## Description{% #description %}

Unquoted variable expansions like `$var` or `$1` undergo word splitting and glob expansion before the command receives them. An argument containing spaces becomes multiple arguments, and patterns like `*` expand to matching filenames.

Quoting as `"$var"` prevents this. This rule may not apply if you intentionally want word splitting or glob expansion, for example when building a dynamic argument list.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```bash
#!/bin/bash
echo $1
echo $var
cp $HOME/file destination/
for i in $*; do :; done 
for i in $@; do :; done
cp $@ ~/dir
cmd ${files[@]}
mv ${arr[*]} ~/dir
rm ${HOME}
rm ${var:-default}
ls ${file%.txt}
```

## Compliant Code Examples{% #compliant-code-examples %}

```bash
#!/bin/bash
echo "$1"
echo "$var"
cp "$HOME/file" destination/
for i in "$@"; do :; done
cp "$@" ~/dir
cp "${files[@]}" ~/dir
mv "${arr[*]}" ~/dir
rm "${HOME}"
echo ${#var}
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}