---
title: Single-quote character classes to prevent glob expansion
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Single-quote character classes to prevent glob expansion
---

# Single-quote character classes to prevent glob expansion

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `bash-security/single-quote-character-classes`

**Language:** Bash

**Severity:** Notice

**Category:** Security

**CWE**: [88](https://cwe.mitre.org/data/definitions/88.html)

## Description{% #description %}

Unquoted bracket expressions like `[:digit:]` or `[a-z]` passed as arguments to `tr` are subject to shell glob expansion before the command executes. An attacker who can influence the contents of the working directory can create files with matching names to inject unintended arguments into `tr`, altering its behavior in unexpected ways (CWE-88)

Use single quotes to ensure the expression is passed literally: `tr -cd '[:digit:]'`.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```bash
#!/bin/bash
tr -cd [:space:]
tr [a-z] [A-Z]
tr [:lower:] [:upper:]
tr [!a-z] [A-Z]
tr *[a-z] [A-Z]
```

## Compliant Code Examples{% #compliant-code-examples %}

```bash
#!/bin/bash
tr -cd '[:space:]'
tr '[a-z]' '[A-Z]'
tr '[:lower:]' '[:upper:]'
rm [abcdef]
mv [abcdefg] backup/
ls [0-9]*
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}