Metadata

ID: bash-security/prevent-option-injection-via-globs

Language: Bash

Severity: Error

Category: Security

CWE: 88

Description

When a glob is the first character of an argument (* or ?), expansion can yield paths that start with -. Many programs then treat those operands as flags, which changes behavior (argument injection, CWE-88).

Prefer ./ before the glob (e.g. rm ./*) or end option parsing with -- (e.g. rm -- *). echo and printf are common exceptions because they do not parse operands as options the same way.

Non-Compliant Code Examples

#!/bin/bash
rm *
cat *.txt
chmod +x *
rm ?x
/bin/rm *
rm * -- something

Compliant Code Examples

#!/bin/bash
rm ./*
rm -- *
echo *
printf '%s' *
rm foo/*
rm bar*
rm [a]*
rm .*
/bin/rm ./*
count="${2:-$((365 * 2))}"

Seamless integrations. Try Datadog Code Security

Datadog Code Security