---
title: >-
  Quote right-hand side values in [[ == / != ]] to avoid unintended glob
  matching
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Quote right-hand side values in [[ == / != ]] to avoid unintended glob
  matching
---

# Quote right-hand side values in [[ == / != ]] to avoid unintended glob matching

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `bash-security/unquoted-patterns-in-double-brackets`

**Language:** Bash

**Severity:** Warning

**Category:** Security

**CWE**: [155](https://cwe.mitre.org/data/definitions/155.html)

## Description{% #description %}

In `[[ "$x" == $y ]]` or `[[ "$x" != $y ]]`, an unquoted right-hand side is interpreted as a pattern, not a literal string. If `$y` is wildcard-like (for example `*`) or attacker- controlled, the condition may match unexpectedly and bypass access checks.

Quote the right-hand side to force literal comparison, for example: `[[ "$x" == "$y" ]]`.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```bash
#!/bin/bash
[[ "$x" == $y ]]
[[ "$x" != ${rhs} ]]
[[ "$x" == prefix-${y} ]]
```

## Compliant Code Examples{% #compliant-code-examples %}

```bash
#!/bin/bash
[[ "$x" == "$y" ]]
[[ "$x" != "${y}" ]]
[[ "$x" == "prefix-${y}" ]]
[[ "$x" == literal ]]
[[ "$x" == *.txt ]]
[[ "$line" == *$'\t'* ]]
[ "$x" = "$y" ]
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}