shellcheck SC2295 should also warn for unquoted variables in pattern substitution

SC2295 should also warn for unquoted variables in pattern substitution

Open vejkse opened this issue 2 years ago • 1 comments

For new checks and feature suggestions

[x] https://www.shellcheck.net/ (i.e. the latest commit) currently gives no useful warnings about this
[x] I searched through https://github.com/koalaman/shellcheck/issues and didn't find anything related

Here's a snippet or screenshot that shows the problem:

#!/bin/bash

string='[ab][bc]'
substring='[ab]'
echo "${string//"$substring"/[xy]}"
echo "${string//$substring/[xy]}" # the “substring” is in fact a pattern

This produces

[xy][bc]
[[xy][xy]][[xy]c]

Here's what shellcheck currently says:

Nothing.

Here's what I wanted or expected to see:

For line 6, the same warning as with SC2295:

Expansions inside ${..} need to be quoted separately, otherwise they will match as a pattern.

The same for all kinds of substring replacement: ${…/…/…}, ${…//…/…}, ${…/%…/…}, ${…/#…/…}, ${…/…}, etc.

I don’t know if this should be an extension of SC2295 or a new warning.

Apr 09 '23 15:04 vejkse

Variables should be quoted in the replacement as well:

subst='a&a'
orig=hello
printf '<%s>\n' "${orig/hello/$subst}"
printf '<%s>\n' "${orig/hello/"$subst"}"

produces

<ahelloa>
<a&a>

Sep 24 '23 12:09 hvenev

shellcheck shellcheck copied to clipboard

SC2295 should also warn for unquoted variables in pattern substitution

For new checks and feature suggestions

Here's a snippet or screenshot that shows the problem:

Here's what shellcheck currently says:

Here's what I wanted or expected to see:

shellcheck
shellcheck copied to clipboard