For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/static_analysis/static_analysis_rules/bash-security/local-expansion-in-remote-command.md. A documentation index is available at /llms.txt.

Avoid client-side expansion inside double-quoted ssh arguments

This product is not supported for your selected Datadog site. ().

Metadata

ID: bash-security/local-expansion-in-remote-command

Language: Bash

Severity: Error

Category: Security

CWE: 78

Description

Arguments to ssh are assembled by the local shell first. Inside double quotes, parameter expansion, command substitution, and arithmetic expansion run on the client before anything is sent, so the remote command often sees literal values from the local machine rather than the remote one, and attacker-influenced content can change what runs remotely (CWE-78).

Prefer single-quoted remote snippets so the remote shell sees $ and backticks literally (for example, ssh host 'echo "$HOSTNAME"'), or escape dollars in double quotes when you intentionally expand locally (for example, ssh host "echo \$HOSTNAME").

Non-Compliant Code Examples

#!/bin/bash
ssh user@host "echo $HOSTNAME"
ssh user@host "echo ${HOME}"
/usr/bin/ssh user@host "echo $(hostname)"
ssh user@host "v=$((1+1))"
ssh "$user@$host" "echo $HOME"
ssh -o BatchMode=yes user@host "echo $PATH"

Compliant Code Examples

#!/bin/bash
ssh user@host 'echo "$HOSTNAME"'
ssh user@host "echo \$HOSTNAME"
ssh user@host "echo literal only"
ssh -V
ssh -o BatchMode=yes user@host 'whoami'
ssh "$user@$host" 'for x in rsa dsa; do cat /etc/ssh/ssh_host_${x}_key.pub; done'
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security