---
title: Avoid client-side expansion inside double-quoted ssh arguments
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Avoid client-side expansion inside double-quoted ssh arguments
---

# Avoid client-side expansion inside double-quoted ssh arguments

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `bash-security/local-expansion-in-remote-command`

**Language:** Bash

**Severity:** Error

**Category:** Security

**CWE**: [78](https://cwe.mitre.org/data/definitions/78.html)

## Description{% #description %}

Arguments to `ssh` are assembled by the local shell first. Inside double quotes, parameter expansion, command substitution, and arithmetic expansion run on the client before anything is sent, so the remote command often sees literal values from the local machine rather than the remote one, and attacker-influenced content can change what runs remotely (CWE-78).

Prefer single-quoted remote snippets so the remote shell sees `$` and backticks literally (for example, `ssh host 'echo "$HOSTNAME"'`), or escape dollars in double quotes when you intentionally expand locally (for example, `ssh host "echo \$HOSTNAME"`).

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```bash
#!/bin/bash
ssh user@host "echo $HOSTNAME"
ssh user@host "echo ${HOME}"
/usr/bin/ssh user@host "echo $(hostname)"
ssh user@host "v=$((1+1))"
ssh "$user@$host" "echo $HOME"
ssh -o BatchMode=yes user@host "echo $PATH"
```

## Compliant Code Examples{% #compliant-code-examples %}

```bash
#!/bin/bash
ssh user@host 'echo "$HOSTNAME"'
ssh user@host "echo \$HOSTNAME"
ssh user@host "echo literal only"
ssh -V
ssh -o BatchMode=yes user@host 'whoami'
ssh "$user@$host" 'for x in rsa dsa; do cat /etc/ssh/ssh_host_${x}_key.pub; done'
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}