shellspec/shellspec

View on GitHub

Showing 115 of 115 total issues

Double quote to prevent globbing and word splitting.
Open

  eval shellspec_syntax_dispatch modifier ${1+'"$@"'}
Severity: Minor
Found in lib/core/modifiers/result.sh by shellcheck

Double quote to prevent globbing and word splitting.

Problematic code:

echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done

Correct code:

echo "$1"
for i in "$@"; do :; done # or, 'for i; do'

Rationale

The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."

The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.

Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.

Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:

$HOME/$dir/dist/bin/$file        # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file"  # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file"      # Canonical quoting (good)

When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c" will not expand, but "$HOME/$dir/src"/*.c will.

Note that $( ) starts a new context, and variables in it have to be quoted independently:

echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"

Exceptions

Sometimes you want to split on spaces, like when building a command line:

options="-j 5 -B"
make $options file

Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):

options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file

or a function (POSIX):

make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file

To split on spaces but not perform glob expansion, Posix has a set -f to disable globbing. You can disable word splitting by setting IFS=''.

Similarly, you might want an optional argument:

debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script

Quoting this doesn't work, since in the default case, "$debug" would expand to one empty argument while $debug would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:

debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script

This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}.


As always, this warning can be [[ignore]]d on a case-by-case basis.

this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...

FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

Double quote to prevent globbing and word splitting.
Open

  done 2>/dev/null; cd "$2" && OLDPWD=$3 && [ ${5+x} ] && printf '%s\n' "$5"
Severity: Minor
Found in shellspec by shellcheck

Double quote to prevent globbing and word splitting.

Problematic code:

echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done

Correct code:

echo "$1"
for i in "$@"; do :; done # or, 'for i; do'

Rationale

The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."

The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.

Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.

Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:

$HOME/$dir/dist/bin/$file        # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file"  # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file"      # Canonical quoting (good)

When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c" will not expand, but "$HOME/$dir/src"/*.c will.

Note that $( ) starts a new context, and variables in it have to be quoted independently:

echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"

Exceptions

Sometimes you want to split on spaces, like when building a command line:

options="-j 5 -B"
make $options file

Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):

options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file

or a function (POSIX):

make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file

To split on spaces but not perform glob expansion, Posix has a set -f to disable globbing. You can disable word splitting by setting IFS=''.

Similarly, you might want an optional argument:

debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script

Quoting this doesn't work, since in the default case, "$debug" would expand to one empty argument while $debug would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:

debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script

This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}.


As always, this warning can be [[ignore]]d on a case-by-case basis.

this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...

FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

Double quote to prevent globbing and word splitting.
Open

eval exec "$SHELLSPEC_SHELL" "\"$exec\"" ${1+'"$@"'}
Severity: Minor
Found in shellspec by shellcheck

Double quote to prevent globbing and word splitting.

Problematic code:

echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done

Correct code:

echo "$1"
for i in "$@"; do :; done # or, 'for i; do'

Rationale

The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."

The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.

Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.

Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:

$HOME/$dir/dist/bin/$file        # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file"  # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file"      # Canonical quoting (good)

When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c" will not expand, but "$HOME/$dir/src"/*.c will.

Note that $( ) starts a new context, and variables in it have to be quoted independently:

echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"

Exceptions

Sometimes you want to split on spaces, like when building a command line:

options="-j 5 -B"
make $options file

Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):

options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file

or a function (POSIX):

make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file

To split on spaces but not perform glob expansion, Posix has a set -f to disable globbing. You can disable word splitting by setting IFS=''.

Similarly, you might want an optional argument:

debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script

Quoting this doesn't work, since in the default case, "$debug" would expand to one empty argument while $debug would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:

debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script

This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}.


As always, this warning can be [[ignore]]d on a case-by-case basis.

this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...

FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

Use 'cd ... || exit' or 'cd ... || return' in case cd fails.
Open

cd contrib/demo
Severity: Minor
Found in contrib/demo.sh by shellcheck

Use cd ... || exit in case cd fails.

Problematic code:

cd generated_files
rm -r *.c

func(){
  cd foo
  do_something
}

Correct code:

cd generated_files || exit
rm -r *.c

# For functions, you may want to use return:
func(){
  cd foo || return
  do_something
}

Rationale:

cd can fail for a variety of reasons: misspelled paths, missing directories, missing permissions, broken symlinks and more.

If/when it does, the script will keep going and do all its operations in the wrong directory. This can be messy, especially if the operations involve creating or deleting a lot of files.

To avoid this, make sure you handle the cases when cd fails. Ways to do this include

  • cd foo || exit as suggested to just abort immediately
  • if cd foo; then echo "Ok"; else echo "Fail"; fi for custom handling
  • <(cd foo && cmd) as an alternative to <(cd foo || exit; cmd) in <(..), $(..) or ( )

Exceptions:

ShellCheck does not give this warning when cd is on the left of a || or &&, or the condition of a if, while or until loop. Having a set -e command anywhere in the script will disable this message, even though it won't necessarily prevent the issue.

If you are accounting for cd failures in a way shellcheck doesn't realize, you can disable this message with a [[directive]].

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

pre was modified in a subshell. That change might be lost.
Open

  git_remote_tags "${PRE:+--pre}"
Severity: Minor
Found in install.sh by shellcheck

var was modified in a subshell. That change might be lost.

Problematic code:

There are many ways of accidentally creating subshells, but a common one is piping to a loop:

n=0
printf "%s\n" {1..10} | while read i; do (( n+=i )); done
echo $n

Correct code:

# Bash specific: process substitution. Also try shopts like lastpipe.
n=0
while read i; do (( n+=i )); done < 

In sh, a temp file (better if fifo or fd) can be used instead of process substitution. And if it's acceptable to do it with waiting, try Here Documents.

Rationale:

Variables set in subshells are not available outside the subshell. This is a wide topic, and better described on the Wooledge Bash Wiki.

Here are some constructs that cause subshells (shellcheck may not warn about all of them). In each case, you can replace subshell1 by a command or function that sets a variable, e.g. simply var=foo, and the variable will appear to be unset after the command is run. Similarly, you can replace regular with var=foo, and it will be set afterwards:

Pipelines:

subshell1 | subshell2 | subshell3    # Bash, Dash, Ash
subshell1 | subshell2 | regular      # Ksh, Zsh

Command substitution:

regular "$(subshell1)" "`subshell2`"

Process substitution:

regular (subshell2)

Some forms of grouping:

( subshell )
{ regular; }

Backgrounding:

subshell1 &
subshell2 &

Anything executed by external processes:

find . -exec subshell1 {} \;
find . -print0 | xargs -0 subshell2
sudo subshell3
su -c subshell4

This applies not only to setting variables, but also setting shell options and changing directories.

Exceptions

You can ignore this error if you don't care that the changes aren't reflected, because work on the value branches and shouldn't be recombined.

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

Double quote to prevent globbing and word splitting.
Open

  eval find_specfiles specfile ${1+'"$@"'}
Severity: Minor
Found in libexec/shellspec-list.sh by shellcheck

Double quote to prevent globbing and word splitting.

Problematic code:

echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done

Correct code:

echo "$1"
for i in "$@"; do :; done # or, 'for i; do'

Rationale

The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."

The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.

Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.

Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:

$HOME/$dir/dist/bin/$file        # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file"  # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file"      # Canonical quoting (good)

When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c" will not expand, but "$HOME/$dir/src"/*.c will.

Note that $( ) starts a new context, and variables in it have to be quoted independently:

echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"

Exceptions

Sometimes you want to split on spaces, like when building a command line:

options="-j 5 -B"
make $options file

Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):

options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file

or a function (POSIX):

make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file

To split on spaces but not perform glob expansion, Posix has a set -f to disable globbing. You can disable word splitting by setting IFS=''.

Similarly, you might want an optional argument:

debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script

Quoting this doesn't work, since in the default case, "$debug" would expand to one empty argument while $debug would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:

debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script

This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}.


As always, this warning can be [[ignore]]d on a case-by-case basis.

this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...

FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

Double quote to prevent globbing and word splitting.
Open

  eval find_specfiles count_specfile ${1+'"$@"'}
Severity: Minor
Found in libexec/shellspec-translate.sh by shellcheck

Double quote to prevent globbing and word splitting.

Problematic code:

echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done

Correct code:

echo "$1"
for i in "$@"; do :; done # or, 'for i; do'

Rationale

The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."

The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.

Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.

Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:

$HOME/$dir/dist/bin/$file        # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file"  # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file"      # Canonical quoting (good)

When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c" will not expand, but "$HOME/$dir/src"/*.c will.

Note that $( ) starts a new context, and variables in it have to be quoted independently:

echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"

Exceptions

Sometimes you want to split on spaces, like when building a command line:

options="-j 5 -B"
make $options file

Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):

options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file

or a function (POSIX):

make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file

To split on spaces but not perform glob expansion, Posix has a set -f to disable globbing. You can disable word splitting by setting IFS=''.

Similarly, you might want an optional argument:

debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script

Quoting this doesn't work, since in the default case, "$debug" would expand to one empty argument while $debug would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:

debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script

This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}.


As always, this warning can be [[ignore]]d on a case-by-case basis.

this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...

FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

Double quote to prevent globbing and word splitting.
Open

eval exec "$SHELLSPEC_SHELL" "\"$exec\"" ${1+'"$@"'}
Severity: Minor
Found in libexec/shellspec-load-env.sh by shellcheck

Double quote to prevent globbing and word splitting.

Problematic code:

echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done

Correct code:

echo "$1"
for i in "$@"; do :; done # or, 'for i; do'

Rationale

The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."

The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.

Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.

Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:

$HOME/$dir/dist/bin/$file        # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file"  # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file"      # Canonical quoting (good)

When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c" will not expand, but "$HOME/$dir/src"/*.c will.

Note that $( ) starts a new context, and variables in it have to be quoted independently:

echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"

Exceptions

Sometimes you want to split on spaces, like when building a command line:

options="-j 5 -B"
make $options file

Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):

options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file

or a function (POSIX):

make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file

To split on spaces but not perform glob expansion, Posix has a set -f to disable globbing. You can disable word splitting by setting IFS=''.

Similarly, you might want an optional argument:

debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script

Quoting this doesn't work, since in the default case, "$debug" would expand to one empty argument while $debug would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:

debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script

This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}.


As always, this warning can be [[ignore]]d on a case-by-case basis.

this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...

FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

Double quote to prevent globbing and word splitting.
Open

  eval count_specfiles count ${1+'"$@"'}
Severity: Minor
Found in lib/libexec/kcov-executor.sh by shellcheck

Double quote to prevent globbing and word splitting.

Problematic code:

echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done

Correct code:

echo "$1"
for i in "$@"; do :; done # or, 'for i; do'

Rationale

The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."

The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.

Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.

Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:

$HOME/$dir/dist/bin/$file        # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file"  # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file"      # Canonical quoting (good)

When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c" will not expand, but "$HOME/$dir/src"/*.c will.

Note that $( ) starts a new context, and variables in it have to be quoted independently:

echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"

Exceptions

Sometimes you want to split on spaces, like when building a command line:

options="-j 5 -B"
make $options file

Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):

options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file

or a function (POSIX):

make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file

To split on spaces but not perform glob expansion, Posix has a set -f to disable globbing. You can disable word splitting by setting IFS=''.

Similarly, you might want an optional argument:

debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script

Quoting this doesn't work, since in the default case, "$debug" would expand to one empty argument while $debug would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:

debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script

This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}.


As always, this warning can be [[ignore]]d on a case-by-case basis.

this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...

FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

Double quote to prevent globbing and word splitting.
Open

  eval find_specfiles specfile ${1+'"$@"'}
Severity: Minor
Found in lib/libexec/parallel-executor.sh by shellcheck

Double quote to prevent globbing and word splitting.

Problematic code:

echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done

Correct code:

echo "$1"
for i in "$@"; do :; done # or, 'for i; do'

Rationale

The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."

The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.

Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.

Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:

$HOME/$dir/dist/bin/$file        # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file"  # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file"      # Canonical quoting (good)

When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c" will not expand, but "$HOME/$dir/src"/*.c will.

Note that $( ) starts a new context, and variables in it have to be quoted independently:

echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"

Exceptions

Sometimes you want to split on spaces, like when building a command line:

options="-j 5 -B"
make $options file

Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):

options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file

or a function (POSIX):

make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file

To split on spaces but not perform glob expansion, Posix has a set -f to disable globbing. You can disable word splitting by setting IFS=''.

Similarly, you might want an optional argument:

debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script

Quoting this doesn't work, since in the default case, "$debug" would expand to one empty argument while $debug would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:

debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script

This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}.


As always, this warning can be [[ignore]]d on a case-by-case basis.

this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...

FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

In POSIX sh, 'builtin' is undefined.
Open

      builtin echo -n "$2"
Severity: Minor
Found in lib/general.sh by shellcheck

In POSIX sh, something is undefined.

You have declared that your script works with /bin/sh, but you are using features that have undefined behavior according to the POSIX specification.

It may currently work for you, but it can or will fail on other OS, the same OS with different configurations, from different contexts (like initramfs/chroot), or in different versions of the same OS, including future updates to your current system.

Either declare that your script requires a specific shell like #!/bin/bash or #!/bin/dash, or rewrite the script in a portable way.

For help with rewrites, the Ubuntu wiki has a list of portability issues that broke people's #!/bin/sh scripts when Ubuntu switched from Bash to Dash. See also Bashism on wooledge's wiki. ShellCheck may not warn about all these issues.

$'c-style-escapes'

bash, ksh:

a=$' \t\n'

POSIX:

a="$(printf '%b_' ' \t\n')"; a="${a%_}" # protect trailing \n

Want some good news? See http://austingroupbugs.net/view.php?id=249#c590.

$"msgid"

Bash:

echo $"foo $(bar) baz"

POSIX:

. gettext.sh # GNU Gettext sh library
# ...
barout=$(bar)
eval_gettext 'foo $barout baz' # See GNU Gettext doc for more info.

Or you can change them to normal double quotes so you go without gettext.

Arithmetic for loops

Bash:

for ((init; test; next)); do foo; done

POSIX:

: $((init))
while [ $((test)) -ne 0 ]; do foo; : $((next)); done

Arithmetic exponentiation

Bash:

printf "%s\n" "$(( 2**63 ))"

POSIX:

The POSIX standard does not allow for exponents. However, you can replicate them completely built-in using a POSIX compatible function. As an example, the pow function from here.

pow () {
    set "$1" "$2" 1
    while [ "$2" -gt 0 ]; do
      set "$1" $(($2-1)) $(($1*$3))
    done
    # %d = signed decimal, %u = unsigned decimal
    # Either should overflow to 0
    printf "%d\n" "$3"
}

To compare:

$ echo "$(( 2**62 ))"
4611686018427387904
$ pow 2 62
4611686018427387904

Alternatively, if you don't mind using an external program, you can use bc. Be aware though: bash and other programs may abide by a certain maximum integer that bc does not (for bash that's: 64-bit signed long int, failing back to 32-bit signed long int).

Example:

# Note the overflow that gives a negative number
$ echo "$(( 2**63 ))"
-9223372036854775808

# No such problem
$ echo 2^63 | bc
9223372036854775808

# 'bc' just keeps on going
$ echo 2^1280 | bc
20815864389328798163850480654728171077230524494533409610638224700807\
21611934672059602447888346464836968484322790856201558276713249664692\
98162798132113546415258482590187784406915463666993231671009459188410\
95379622423387354295096957733925002768876520583464697770622321657076\
83317005651120933244966378183760369413644440628104205339687097746591\
6057756101739472373801429441421111406337458176

standalone ((..))

Bash:

((a=c+d))
((d)) && echo d is true.

POSIX:

: $((a=c+d)) # discard the output of the arith expn with `:` command
[ $((d)) -ne 0 ] && echo d is true. # manually check non-zero => true

select loops

It takes extra care over terminal columns to make select loop look like bash's, which generates a list with multiple items on one line, or like ls.

It is, however, still possible to make a naive translation for select foo in bar baz; do eat; done:

while
  _i=0 _foo= foo=
  for _name in bar baz; do echo "$((_i+=1))) $_name"; done
  printf '$# '; read _foo
do
  case _foo in 1) foo=bar;; 2) foo=baz;; *) continue;; esac
  eat
done

Here-strings

Bash, ksh:

grep aaa <<< "$g"

POSIX:

# not exactly the same -- <<< adds a trailing \n if $g doesn't end with \n
printf '%s' "$g" | grep aaa

echo flags

See https://unix.stackexchange.com/tags/echo/info.

${var/pat/replacement}

Bash:

echo "${TERM/%-256*}"

POSIX:

echo "$TERM" | sed -e 's/-256.*$//g'
# Special case for this since we are matching the end:
echo "${TERM%-256*}"

printf %q

Bash:

printf '%q ' "$@"

POSIX:

# TODO: Interpret it back to printf escapes for hard-to-copy chars like \t?
# See also: http://git.savannah.gnu.org/cgit/libtool.git/tree/gl/build-aux/funclib.sh?id=c60e054#n1029
reuse_quote()(
  for i; do
    __i_quote=$(printf '%s\n' "$i" | sed -e "s/'/'\\\\''/g"; echo x)
    printf "'%s'" "${__i_quote%x}"
  done
)
reuse_quote "$@"

Exception

Depends on what your expected POSIX shell providers would use.

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

In POSIX sh, 'builtin' is undefined.
Open

      builtin echo -n "$2"
Severity: Minor
Found in lib/general.sh by shellcheck

In POSIX sh, something is undefined.

You have declared that your script works with /bin/sh, but you are using features that have undefined behavior according to the POSIX specification.

It may currently work for you, but it can or will fail on other OS, the same OS with different configurations, from different contexts (like initramfs/chroot), or in different versions of the same OS, including future updates to your current system.

Either declare that your script requires a specific shell like #!/bin/bash or #!/bin/dash, or rewrite the script in a portable way.

For help with rewrites, the Ubuntu wiki has a list of portability issues that broke people's #!/bin/sh scripts when Ubuntu switched from Bash to Dash. See also Bashism on wooledge's wiki. ShellCheck may not warn about all these issues.

$'c-style-escapes'

bash, ksh:

a=$' \t\n'

POSIX:

a="$(printf '%b_' ' \t\n')"; a="${a%_}" # protect trailing \n

Want some good news? See http://austingroupbugs.net/view.php?id=249#c590.

$"msgid"

Bash:

echo $"foo $(bar) baz"

POSIX:

. gettext.sh # GNU Gettext sh library
# ...
barout=$(bar)
eval_gettext 'foo $barout baz' # See GNU Gettext doc for more info.

Or you can change them to normal double quotes so you go without gettext.

Arithmetic for loops

Bash:

for ((init; test; next)); do foo; done

POSIX:

: $((init))
while [ $((test)) -ne 0 ]; do foo; : $((next)); done

Arithmetic exponentiation

Bash:

printf "%s\n" "$(( 2**63 ))"

POSIX:

The POSIX standard does not allow for exponents. However, you can replicate them completely built-in using a POSIX compatible function. As an example, the pow function from here.

pow () {
    set "$1" "$2" 1
    while [ "$2" -gt 0 ]; do
      set "$1" $(($2-1)) $(($1*$3))
    done
    # %d = signed decimal, %u = unsigned decimal
    # Either should overflow to 0
    printf "%d\n" "$3"
}

To compare:

$ echo "$(( 2**62 ))"
4611686018427387904
$ pow 2 62
4611686018427387904

Alternatively, if you don't mind using an external program, you can use bc. Be aware though: bash and other programs may abide by a certain maximum integer that bc does not (for bash that's: 64-bit signed long int, failing back to 32-bit signed long int).

Example:

# Note the overflow that gives a negative number
$ echo "$(( 2**63 ))"
-9223372036854775808

# No such problem
$ echo 2^63 | bc
9223372036854775808

# 'bc' just keeps on going
$ echo 2^1280 | bc
20815864389328798163850480654728171077230524494533409610638224700807\
21611934672059602447888346464836968484322790856201558276713249664692\
98162798132113546415258482590187784406915463666993231671009459188410\
95379622423387354295096957733925002768876520583464697770622321657076\
83317005651120933244966378183760369413644440628104205339687097746591\
6057756101739472373801429441421111406337458176

standalone ((..))

Bash:

((a=c+d))
((d)) && echo d is true.

POSIX:

: $((a=c+d)) # discard the output of the arith expn with `:` command
[ $((d)) -ne 0 ] && echo d is true. # manually check non-zero => true

select loops

It takes extra care over terminal columns to make select loop look like bash's, which generates a list with multiple items on one line, or like ls.

It is, however, still possible to make a naive translation for select foo in bar baz; do eat; done:

while
  _i=0 _foo= foo=
  for _name in bar baz; do echo "$((_i+=1))) $_name"; done
  printf '$# '; read _foo
do
  case _foo in 1) foo=bar;; 2) foo=baz;; *) continue;; esac
  eat
done

Here-strings

Bash, ksh:

grep aaa <<< "$g"

POSIX:

# not exactly the same -- <<< adds a trailing \n if $g doesn't end with \n
printf '%s' "$g" | grep aaa

echo flags

See https://unix.stackexchange.com/tags/echo/info.

${var/pat/replacement}

Bash:

echo "${TERM/%-256*}"

POSIX:

echo "$TERM" | sed -e 's/-256.*$//g'
# Special case for this since we are matching the end:
echo "${TERM%-256*}"

printf %q

Bash:

printf '%q ' "$@"

POSIX:

# TODO: Interpret it back to printf escapes for hard-to-copy chars like \t?
# See also: http://git.savannah.gnu.org/cgit/libtool.git/tree/gl/build-aux/funclib.sh?id=c60e054#n1029
reuse_quote()(
  for i; do
    __i_quote=$(printf '%s\n' "$i" | sed -e "s/'/'\\\\''/g"; echo x)
    printf "'%s'" "${__i_quote%x}"
  done
)
reuse_quote "$@"

Exception

Depends on what your expected POSIX shell providers would use.

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

In POSIX sh, 'builtin' is undefined.
Open

    shellspec_putsn() { [ $# -gt 0 ] && shellspec_puts "$@"; builtin echo; }
Severity: Minor
Found in lib/general.sh by shellcheck

In POSIX sh, something is undefined.

You have declared that your script works with /bin/sh, but you are using features that have undefined behavior according to the POSIX specification.

It may currently work for you, but it can or will fail on other OS, the same OS with different configurations, from different contexts (like initramfs/chroot), or in different versions of the same OS, including future updates to your current system.

Either declare that your script requires a specific shell like #!/bin/bash or #!/bin/dash, or rewrite the script in a portable way.

For help with rewrites, the Ubuntu wiki has a list of portability issues that broke people's #!/bin/sh scripts when Ubuntu switched from Bash to Dash. See also Bashism on wooledge's wiki. ShellCheck may not warn about all these issues.

$'c-style-escapes'

bash, ksh:

a=$' \t\n'

POSIX:

a="$(printf '%b_' ' \t\n')"; a="${a%_}" # protect trailing \n

Want some good news? See http://austingroupbugs.net/view.php?id=249#c590.

$"msgid"

Bash:

echo $"foo $(bar) baz"

POSIX:

. gettext.sh # GNU Gettext sh library
# ...
barout=$(bar)
eval_gettext 'foo $barout baz' # See GNU Gettext doc for more info.

Or you can change them to normal double quotes so you go without gettext.

Arithmetic for loops

Bash:

for ((init; test; next)); do foo; done

POSIX:

: $((init))
while [ $((test)) -ne 0 ]; do foo; : $((next)); done

Arithmetic exponentiation

Bash:

printf "%s\n" "$(( 2**63 ))"

POSIX:

The POSIX standard does not allow for exponents. However, you can replicate them completely built-in using a POSIX compatible function. As an example, the pow function from here.

pow () {
    set "$1" "$2" 1
    while [ "$2" -gt 0 ]; do
      set "$1" $(($2-1)) $(($1*$3))
    done
    # %d = signed decimal, %u = unsigned decimal
    # Either should overflow to 0
    printf "%d\n" "$3"
}

To compare:

$ echo "$(( 2**62 ))"
4611686018427387904
$ pow 2 62
4611686018427387904

Alternatively, if you don't mind using an external program, you can use bc. Be aware though: bash and other programs may abide by a certain maximum integer that bc does not (for bash that's: 64-bit signed long int, failing back to 32-bit signed long int).

Example:

# Note the overflow that gives a negative number
$ echo "$(( 2**63 ))"
-9223372036854775808

# No such problem
$ echo 2^63 | bc
9223372036854775808

# 'bc' just keeps on going
$ echo 2^1280 | bc
20815864389328798163850480654728171077230524494533409610638224700807\
21611934672059602447888346464836968484322790856201558276713249664692\
98162798132113546415258482590187784406915463666993231671009459188410\
95379622423387354295096957733925002768876520583464697770622321657076\
83317005651120933244966378183760369413644440628104205339687097746591\
6057756101739472373801429441421111406337458176

standalone ((..))

Bash:

((a=c+d))
((d)) && echo d is true.

POSIX:

: $((a=c+d)) # discard the output of the arith expn with `:` command
[ $((d)) -ne 0 ] && echo d is true. # manually check non-zero => true

select loops

It takes extra care over terminal columns to make select loop look like bash's, which generates a list with multiple items on one line, or like ls.

It is, however, still possible to make a naive translation for select foo in bar baz; do eat; done:

while
  _i=0 _foo= foo=
  for _name in bar baz; do echo "$((_i+=1))) $_name"; done
  printf '$# '; read _foo
do
  case _foo in 1) foo=bar;; 2) foo=baz;; *) continue;; esac
  eat
done

Here-strings

Bash, ksh:

grep aaa <<< "$g"

POSIX:

# not exactly the same -- <<< adds a trailing \n if $g doesn't end with \n
printf '%s' "$g" | grep aaa

echo flags

See https://unix.stackexchange.com/tags/echo/info.

${var/pat/replacement}

Bash:

echo "${TERM/%-256*}"

POSIX:

echo "$TERM" | sed -e 's/-256.*$//g'
# Special case for this since we are matching the end:
echo "${TERM%-256*}"

printf %q

Bash:

printf '%q ' "$@"

POSIX:

# TODO: Interpret it back to printf escapes for hard-to-copy chars like \t?
# See also: http://git.savannah.gnu.org/cgit/libtool.git/tree/gl/build-aux/funclib.sh?id=c60e054#n1029
reuse_quote()(
  for i; do
    __i_quote=$(printf '%s\n' "$i" | sed -e "s/'/'\\\\''/g"; echo x)
    printf "'%s'" "${__i_quote%x}"
  done
)
reuse_quote "$@"

Exception

Depends on what your expected POSIX shell providers would use.

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

Double quote to prevent globbing and word splitting.
Open

shellspec_clone_typeset() { eval typeset ${1+'"$@"'} 2>/dev/null; }
Severity: Minor
Found in lib/core/clone.sh by shellcheck

Double quote to prevent globbing and word splitting.

Problematic code:

echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done

Correct code:

echo "$1"
for i in "$@"; do :; done # or, 'for i; do'

Rationale

The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."

The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.

Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.

Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:

$HOME/$dir/dist/bin/$file        # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file"  # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file"      # Canonical quoting (good)

When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c" will not expand, but "$HOME/$dir/src"/*.c will.

Note that $( ) starts a new context, and variables in it have to be quoted independently:

echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"

Exceptions

Sometimes you want to split on spaces, like when building a command line:

options="-j 5 -B"
make $options file

Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):

options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file

or a function (POSIX):

make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file

To split on spaces but not perform glob expansion, Posix has a set -f to disable globbing. You can disable word splitting by setting IFS=''.

Similarly, you might want an optional argument:

debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script

Quoting this doesn't work, since in the default case, "$debug" would expand to one empty argument while $debug would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:

debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script

This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}.


As always, this warning can be [[ignore]]d on a case-by-case basis.

this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...

FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

Double quote to prevent globbing and word splitting.
Open

  eval shellspec_syntax_dispatch modifier ${1+'"$@"'}
Severity: Minor
Found in lib/core/modifiers/lines.sh by shellcheck

Double quote to prevent globbing and word splitting.

Problematic code:

echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done

Correct code:

echo "$1"
for i in "$@"; do :; done # or, 'for i; do'

Rationale

The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."

The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.

Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.

Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:

$HOME/$dir/dist/bin/$file        # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file"  # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file"      # Canonical quoting (good)

When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c" will not expand, but "$HOME/$dir/src"/*.c will.

Note that $( ) starts a new context, and variables in it have to be quoted independently:

echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"

Exceptions

Sometimes you want to split on spaces, like when building a command line:

options="-j 5 -B"
make $options file

Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):

options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file

or a function (POSIX):

make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file

To split on spaces but not perform glob expansion, Posix has a set -f to disable globbing. You can disable word splitting by setting IFS=''.

Similarly, you might want an optional argument:

debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script

Quoting this doesn't work, since in the default case, "$debug" would expand to one empty argument while $debug would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:

debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script

This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}.


As always, this warning can be [[ignore]]d on a case-by-case basis.

this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...

FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

Quote this to prevent word splitting.
Open

count total $(sources; specs; samples)
Severity: Minor
Found in contrib/check.sh by shellcheck

Quote this to prevent word splitting

Problematic code:

ls -l $(getfilename)

Correct code:

# getfilename outputs 1 file
ls -l "$(getfilename)"

# getfilename outputs multiple files, linefeed separated
getfilename | while IFS='' read -r line
do
  ls -l "$line"
done

Rationale:

When command expansions are unquoted, word splitting and globbing will occur. This often manifests itself by breaking when filenames contain spaces.

Trying to fix it by adding quotes or escapes to the data will not work. Instead, quote the command substitution itself.

If the command substitution outputs multiple pieces of data, use a loop instead.

Exceptions

In rare cases you actually want word splitting, such as in

gcc $(pkg-config --libs openssl) client.c

This is because pkg-config outputs -lssl -lcrypto, which you want to break up by spaces into -lssl and -lcrypto. An alternative is to put the variables to an array and expand it:

args=( $(pkg-config --libs openssl) )
gcc "${args[@]}" client.c

The power of using an array becomes evident when you want to combine, for example, the command result with user-provided arguments:

compile () {
    args=( $(pkg-config --libs openssl) "${@}" )
    gcc "${args[@]}" client.c
}
compile -DDEBUG
+ gcc -lssl -lcrypto -DDEBUG client.c

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

In POSIX sh, 'type' is undefined.
Open

    if type "$cmd" >/dev/null 2>&1; then
Severity: Minor
Found in contrib/builtins.sh by shellcheck

In POSIX sh, something is undefined.

You have declared that your script works with /bin/sh, but you are using features that have undefined behavior according to the POSIX specification.

It may currently work for you, but it can or will fail on other OS, the same OS with different configurations, from different contexts (like initramfs/chroot), or in different versions of the same OS, including future updates to your current system.

Either declare that your script requires a specific shell like #!/bin/bash or #!/bin/dash, or rewrite the script in a portable way.

For help with rewrites, the Ubuntu wiki has a list of portability issues that broke people's #!/bin/sh scripts when Ubuntu switched from Bash to Dash. See also Bashism on wooledge's wiki. ShellCheck may not warn about all these issues.

$'c-style-escapes'

bash, ksh:

a=$' \t\n'

POSIX:

a="$(printf '%b_' ' \t\n')"; a="${a%_}" # protect trailing \n

Want some good news? See http://austingroupbugs.net/view.php?id=249#c590.

$"msgid"

Bash:

echo $"foo $(bar) baz"

POSIX:

. gettext.sh # GNU Gettext sh library
# ...
barout=$(bar)
eval_gettext 'foo $barout baz' # See GNU Gettext doc for more info.

Or you can change them to normal double quotes so you go without gettext.

Arithmetic for loops

Bash:

for ((init; test; next)); do foo; done

POSIX:

: $((init))
while [ $((test)) -ne 0 ]; do foo; : $((next)); done

Arithmetic exponentiation

Bash:

printf "%s\n" "$(( 2**63 ))"

POSIX:

The POSIX standard does not allow for exponents. However, you can replicate them completely built-in using a POSIX compatible function. As an example, the pow function from here.

pow () {
    set "$1" "$2" 1
    while [ "$2" -gt 0 ]; do
      set "$1" $(($2-1)) $(($1*$3))
    done
    # %d = signed decimal, %u = unsigned decimal
    # Either should overflow to 0
    printf "%d\n" "$3"
}

To compare:

$ echo "$(( 2**62 ))"
4611686018427387904
$ pow 2 62
4611686018427387904

Alternatively, if you don't mind using an external program, you can use bc. Be aware though: bash and other programs may abide by a certain maximum integer that bc does not (for bash that's: 64-bit signed long int, failing back to 32-bit signed long int).

Example:

# Note the overflow that gives a negative number
$ echo "$(( 2**63 ))"
-9223372036854775808

# No such problem
$ echo 2^63 | bc
9223372036854775808

# 'bc' just keeps on going
$ echo 2^1280 | bc
20815864389328798163850480654728171077230524494533409610638224700807\
21611934672059602447888346464836968484322790856201558276713249664692\
98162798132113546415258482590187784406915463666993231671009459188410\
95379622423387354295096957733925002768876520583464697770622321657076\
83317005651120933244966378183760369413644440628104205339687097746591\
6057756101739472373801429441421111406337458176

standalone ((..))

Bash:

((a=c+d))
((d)) && echo d is true.

POSIX:

: $((a=c+d)) # discard the output of the arith expn with `:` command
[ $((d)) -ne 0 ] && echo d is true. # manually check non-zero => true

select loops

It takes extra care over terminal columns to make select loop look like bash's, which generates a list with multiple items on one line, or like ls.

It is, however, still possible to make a naive translation for select foo in bar baz; do eat; done:

while
  _i=0 _foo= foo=
  for _name in bar baz; do echo "$((_i+=1))) $_name"; done
  printf '$# '; read _foo
do
  case _foo in 1) foo=bar;; 2) foo=baz;; *) continue;; esac
  eat
done

Here-strings

Bash, ksh:

grep aaa <<< "$g"

POSIX:

# not exactly the same -- <<< adds a trailing \n if $g doesn't end with \n
printf '%s' "$g" | grep aaa

echo flags

See https://unix.stackexchange.com/tags/echo/info.

${var/pat/replacement}

Bash:

echo "${TERM/%-256*}"

POSIX:

echo "$TERM" | sed -e 's/-256.*$//g'
# Special case for this since we are matching the end:
echo "${TERM%-256*}"

printf %q

Bash:

printf '%q ' "$@"

POSIX:

# TODO: Interpret it back to printf escapes for hard-to-copy chars like \t?
# See also: http://git.savannah.gnu.org/cgit/libtool.git/tree/gl/build-aux/funclib.sh?id=c60e054#n1029
reuse_quote()(
  for i; do
    __i_quote=$(printf '%s\n' "$i" | sed -e "s/'/'\\\\''/g"; echo x)
    printf "'%s'" "${__i_quote%x}"
  done
)
reuse_quote "$@"

Exception

Depends on what your expected POSIX shell providers would use.

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

On most OS, shebangs can only specify a single parameter.
Open

#!/bin/sh -u -u
Severity: Minor
Found in libexec/shellspec-shebang by shellcheck

On most OS, shebangs can only specify a single parameter.

Problematic code:

#!/usr/bin/env bash -x

Correct code:

#!/usr/bin/env bash
set -x

Rationale:

Most operating systems, including POSIX, Linux and FreeBSD, allow only a single parameter in the shebang. The example is equivalent to calling env 'bash -x' instead of env 'bash' '-x', and it will therefore fail.

The shebang should be rewritten to use at most one parameter. Shell options can instead be set in the body of the script.

Exceptions

macOS X currently allows multiple words in the shebang. Scripts running on OSX exclusively can ignore this warning.

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

Double quote to prevent globbing and word splitting.
Open

  eval trans evaluation ${1+'"$@"'}
Severity: Minor
Found in lib/libexec/translator.sh by shellcheck

Double quote to prevent globbing and word splitting.

Problematic code:

echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done

Correct code:

echo "$1"
for i in "$@"; do :; done # or, 'for i; do'

Rationale

The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."

The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.

Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.

Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:

$HOME/$dir/dist/bin/$file        # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file"  # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file"      # Canonical quoting (good)

When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c" will not expand, but "$HOME/$dir/src"/*.c will.

Note that $( ) starts a new context, and variables in it have to be quoted independently:

echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"

Exceptions

Sometimes you want to split on spaces, like when building a command line:

options="-j 5 -B"
make $options file

Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):

options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file

or a function (POSIX):

make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file

To split on spaces but not perform glob expansion, Posix has a set -f to disable globbing. You can disable word splitting by setting IFS=''.

Similarly, you might want an optional argument:

debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script

Quoting this doesn't work, since in the default case, "$debug" would expand to one empty argument while $debug would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:

debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script

This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}.


As always, this warning can be [[ignore]]d on a case-by-case basis.

this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...

FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

Double quote to prevent globbing and word splitting.
Open

  eval shellspec_syntax_dispatch modifier line ${1+'"$@"'}
Severity: Minor
Found in lib/core/subjects/line.sh by shellcheck

Double quote to prevent globbing and word splitting.

Problematic code:

echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done

Correct code:

echo "$1"
for i in "$@"; do :; done # or, 'for i; do'

Rationale

The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."

The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.

Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.

Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:

$HOME/$dir/dist/bin/$file        # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file"  # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file"      # Canonical quoting (good)

When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c" will not expand, but "$HOME/$dir/src"/*.c will.

Note that $( ) starts a new context, and variables in it have to be quoted independently:

echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"

Exceptions

Sometimes you want to split on spaces, like when building a command line:

options="-j 5 -B"
make $options file

Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):

options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file

or a function (POSIX):

make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file

To split on spaces but not perform glob expansion, Posix has a set -f to disable globbing. You can disable word splitting by setting IFS=''.

Similarly, you might want an optional argument:

debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script

Quoting this doesn't work, since in the default case, "$debug" would expand to one empty argument while $debug would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:

debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script

This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}.


As always, this warning can be [[ignore]]d on a case-by-case basis.

this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...

FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir

Notice

Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.

Severity
Category
Status
Source
Language