rspec/rules/S6570/docker/rule.adoc

Detect missing double quotes to prevent globbing and word splitting.

== Why is this an issue?

Variable references and command substitutions go through word splitting and pathname expansion (globbing).

This causes issues if the variable contains whitespaces or shell pathname expansion (glob) characters like `*`.

=== What is the potential impact?

This issue can lead to bugs if the variable contains sensitive characters, which may not be interpreted correctly.

== How to fix it
Add the missing double quotes to this variable.

=== Code examples

==== Noncompliant code example

Demonstration of pathname expansion using the `echo` command:
[source,bash,diff-id=1,diff-type=noncompliant]
----
test="command t*.sh"
echo $test
----
This will print `"command temp1.sh temp2.sh"`, as `*` is substituted to matching files in the current folder.
In this example the folder contains the files `temp1.sh` and `temp2.sh`

Demonstration of word splitting using the `echo` command:
[source,bash,diff-id=2,diff-type=noncompliant]
----
test=" Hello World "
echo $test
----
This will print `"Hello World"`, omitting the leading and trailing whitespaces.

==== Compliant solution

Demonstration of pathname expansion using the `echo` command, which will print `"command t*.sh"` as intended:
[source,bash,diff-id=1,diff-type=compliant]
----
test="command t*.sh"
echo "$test"
----

Demonstration of word splitting using the `echo` command, which will print `" Hello World "` as intended:
[source,bash,diff-id=2,diff-type=compliant]
----
test=" Hello World "
echo "$test"
----


== Resources

=== Documentation

* https://tldp.org/LDP/abs/html/globbingref.html[Linux Documentation Project - Globbing]
* https://dwheeler.com/essays/filenames-in-shell.html#doublequote[Filenames and Pathnames in Shell: How to do it Correctly]

ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)

=== Message

Add the missing double quotes to this variable, as it can lead to unexpected behaviour.

=== Highlighting

Highlight the entire command which is using unquoted variables.

'''
endif::env-github,rspecator-view[]
Create rule S6570: Detect missing double quote to prevent globbing and word splitting (#1723) 2023-04-06 13:20:26 +02:00			`Detect missing double quotes to prevent globbing and word splitting.`

			`== Why is this an issue?`

			`Variable references and command substitutions go through word splitting and pathname expansion (globbing).`

			This causes issues if the variable contains whitespaces or shell pathname expansion (glob) characters like `*`.

			`=== What is the potential impact?`

			`This issue can lead to bugs if the variable contains sensitive characters, which may not be interpreted correctly.`

			`== How to fix it`
			`Add the missing double quotes to this variable.`

			`=== Code examples`

			`==== Noncompliant code example`

			Demonstration of pathname expansion using the `echo` command:
			`[source,bash,diff-id=1,diff-type=noncompliant]`
			`----`
			`test="command t*.sh"`
			`echo $test`
			`----`
			This will print `"command temp1.sh temp2.sh"`, as `*` is substituted to matching files in the current folder.
			In this example the folder contains the files `temp1.sh` and `temp2.sh`

			Demonstration of word splitting using the `echo` command:
			`[source,bash,diff-id=2,diff-type=noncompliant]`
			`----`
			`test=" Hello World "`
			`echo $test`
			`----`
			This will print `"Hello World"`, omitting the leading and trailing whitespaces.

			`==== Compliant solution`

			Demonstration of pathname expansion using the `echo` command, which will print `"command t*.sh"` as intended:
			`[source,bash,diff-id=1,diff-type=compliant]`
			`----`
			`test="command t*.sh"`
			`echo "$test"`
			`----`

			Demonstration of word splitting using the `echo` command, which will print `" Hello World "` as intended:
			`[source,bash,diff-id=2,diff-type=compliant]`
			`----`
			`test=" Hello World "`
			`echo "$test"`
			`----`


			`== Resources`

			`=== Documentation`

			`* https://tldp.org/LDP/abs/html/globbingref.html[Linux Documentation Project - Globbing]`
			`* https://dwheeler.com/essays/filenames-in-shell.html#doublequote[Filenames and Pathnames in Shell: How to do it Correctly]`

			`ifdef::env-github,rspecator-view[]`
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`=== Message`

			`Add the missing double quotes to this variable, as it can lead to unexpected behaviour.`

			`=== Highlighting`

			`Highlight the entire command which is using unquoted variables.`

			`'''`
			`endif::env-github,rspecator-view[]`