ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6570/docker/rule.adoc
Fred Tingaud d3cfe19d7e
Fix broken or dangerous backquotes 
Co-authored-by: Marco Borgeaud <89914223+marco-antognini-sonarsource@users.noreply.github.com>
2023-10-30 10:33:56 +01:00

73 lines
2.3 KiB
Plaintext
Raw Blame History

Variable references should be encapsulated with double quotes to avoid globbing and word splitting.
== Why is this an issue?
Within the command, variable references and command substitutions go through word splitting and pathname expansion (globbing).
This causes issues if the variable contains whitespaces or shell pathname expansion (glob) characters like `*`.
=== What is the potential impact?
This issue can lead to bugs if the variable contains sensitive characters, which may be interpreted incorrectly and thus lead to undesired behavior.
== How can I fix it?
Surround variable reference with double quotes.
=== Code examples
==== Noncompliant code example
This example demonstrates pathname expansion using the `echo` command:
[source,docker,diff-id=1,diff-type=noncompliant]
----
RUN test="command t*.sh" && echo $test
----
Suppose this code is executed in a directory that contains two files: `temp1.sh` and `temp2.sh`. This code will print `"command temp1.sh temp2.sh"`,
as `*` is substituted with matching files in the current folder.
This example demonstrates word splitting using the `echo` command:
[source,docker,diff-id=2,diff-type=noncompliant]
----
RUN test=" Hello World " && echo $test
----
This code will print `"Hello World"`, omitting the leading and trailing whitespaces.
==== Compliant solution
This example demonstrates pathname expansion using the `echo` command, which will print ``++"command t*.sh"++`` as intended:
[source,docker,diff-id=1,diff-type=compliant]
----
RUN test="command t*.sh" && echo "$test"
----
This example demonstrates word splitting using the `echo` command, which will print `" Hello World "` as intended:
[source,docker,diff-id=2,diff-type=compliant]
----
RUN test=" Hello World " && echo "$test"
----
== Resources
=== Documentation
* https://tldp.org/LDP/abs/html/globbingref.html[Linux Documentation Project - Globbing]
* https://dwheeler.com/essays/filenames-in-shell.html#doublequote[Filenames and Pathnames in Shell: How to do it Correctly]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Surround this variable with double quotes; otherwise, it can lead to unexpected behavior.
=== Highlighting
Highlight the entire command which is using unquoted variables.
'''
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink