Skip to content

SC2223

Jump to bottom Edit New page
James edited this page Dec 1, 2025 · 4 revisions

This default assignment may cause DoS due to globbing. Quote it.

Optional - quote-safe-variables

This is an optional rule, which means that it has a special "long name" and is not enabled by default. See the optional page for more details. In short, you have to enable it with the long name instead of the "SC" code like you would with a normal rule:

.shellcheckrc

enable=quote-safe-variables # SC2223

Problematic code:

: ${COLUMNS:=80}

Correct code:

: "${COLUMNS:=80}"

Rationale:

This statement is an idiomatic way of assigning a default value to an environment variable. However, even though it's passed to : which ignores arguments, it's better to quote it.

If COLUMNS='/*/*/*/*/*/*', the unquoted, problematic code may spend 30+ minutes trashing the disk as it unnecessarily tries to glob expand the value.

The correct code uses double quotes to avoid glob expansion, and therefore does not have this problem.

When quoting, make sure to update any inner quotes:

: ${var:='foo'}    # Assigns foo without quotes
: "${var:='foo'}"  # Assigns 'foo' with quotes

Exceptions:

None, though this issue is largely theoretical.

Add a custom sidebar

Clone this wiki locally