7x31/shellcheck
1
0
Fork 0
mirror of https://github.com/koalaman/shellcheck.git synced 2025-10-03 19:29:44 +08:00
Code Issues Packages Projects Releases Wiki Activity

Created SC2150 (markdown)

koalaman
2014-11-22 11:59:42 -08:00
parent ca3c58873e
commit ac167674b6
1 changed files with 28 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
SC2150.md Normal file

@@ -0,0 +1,28 @@
## -exec does not invoke a shell. Rewrite or use -exec sh -c .. .
### Problematic code:
find . -type f -exec 'cat {} | wc -l' \;
### Correct code:
find . -type f -exec sh -c 'cat {} | wc -l' \; # Insecure
find . -type f -exec sh -c 'cat "$1" | wc -l' _ {} \; # Secure
Sometimes the command can also be rewritten to not require `find` to invoke a shell:
find . -type f -exec wc -l {} \; | cut -d ' ' -f 1
### Rationale:
find `-exec` and `-execdir` uses `execve(2)` style semantics, meaning it expects an executable and zero or more arguments that should be passed to it.
It does not use `system(3)` style semantics, meaning it does not accept a shell command as a string, to be parsed and evaluated by the system's command interpreter.
If you want `find` to execute a shell command, you have to specify `sh` (or `bash`) as the executable, `-c` as first argument and your shell command as the second.
To prevent command injection, the filename can be passed as a separate argument to sh and referenced as a positional parameter.
### Contraindications
This warning would trigger falsely if executing a program with spaces in the path, if no other arguments were specified.