Single-quote character classes to prevent glob expansion

This product is not supported for your selected Datadog site. ().

Metadata

ID: bash-security/single-quote-character-classes

Language: Bash

Severity: Notice

Category: Security

CWE: 88

Description

Unquoted bracket expressions like [:digit:] or [a-z] passed as arguments to tr are subject to shell glob expansion before the command executes. An attacker who can influence the contents of the working directory can create files with matching names to inject unintended arguments into tr, altering its behavior in unexpected ways (CWE-88)

Use single quotes to ensure the expression is passed literally: tr -cd '[:digit:]'.

Non-Compliant Code Examples

#!/bin/bash
tr -cd [:space:]
tr [a-z] [A-Z]
tr [:lower:] [:upper:]
tr [!a-z] [A-Z]
tr *[a-z] [A-Z]

Compliant Code Examples

#!/bin/bash
tr -cd '[:space:]'
tr '[a-z]' '[A-Z]'
tr '[:lower:]' '[:upper:]'
rm [abcdef]
mv [abcdefg] backup/
ls [0-9]*
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Security

Datadog Code Security