---
title: Globs starting with * or ? may be parsed as CLI options
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Globs starting with * or ? may be parsed as CLI options
---

# Globs starting with * or ? may be parsed as CLI options

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `bash-security/prevent-option-injection-via-globs`

**Language:** Bash

**Severity:** Error

**Category:** Security

**CWE**: [88](https://cwe.mitre.org/data/definitions/88.html)

## Description{% #description %}

When a glob is the first character of an argument (`*` or `?`), expansion can yield paths that start with `-`. Many programs then treat those operands as flags, which changes behavior (argument injection, CWE-88).

Prefer `./` before the glob (e.g. `rm ./*`) or end option parsing with `--` (e.g. `rm -- *`). `echo` and `printf` are common exceptions because they do not parse operands as options the same way.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```bash
#!/bin/bash
rm *
cat *.txt
chmod +x *
rm ?x
/bin/rm *
rm * -- something
```

## Compliant Code Examples{% #compliant-code-examples %}

```bash
#!/bin/bash
rm ./*
rm -- *
echo *
printf '%s' *
rm foo/*
rm bar*
rm [a]*
rm .*
/bin/rm ./*
count="${2:-$((365 * 2))}"
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}