Variable references should be encapsulated with double quotes to avoid globbing and word splitting.
Why is this an issue?
Within the command, variable references and command substitutions go through word splitting and pathname expansion (globbing).
This causes issues if the variable contains whitespaces or shell pathname expansion (glob) characters like *.
What is the potential impact?
This issue can lead to bugs if the variable contains sensitive characters, which may be interpreted incorrectly and thus lead to undesired
behavior.
How can I fix it?
Surround variable reference with double quotes.
Code examples
Noncompliant code example
This example demonstrates pathname expansion using the echo command:
RUN test="command t*.sh" && echo $test
Suppose this code is executed in a directory that contains two files: temp1.sh and temp2.sh. This code will print
"command temp1.sh temp2.sh", as * is substituted with matching files in the current folder.
This example demonstrates word splitting using the echo command:
RUN test=" Hello World " && echo $test
This code will print "Hello World", omitting the leading and trailing whitespaces.
Compliant solution
This example demonstrates pathname expansion using the echo command, which will print "command t*.sh" as intended:
RUN test="command t*.sh" && echo "$test"
This example demonstrates word splitting using the echo command, which will print " Hello World " as intended:
RUN test=" Hello World " && echo "$test"
Resources
Documentation
