Shell Script Pitfalls and ShellCheck Solutions

Shell Script Pitfalls and ShellCheck Solutions


Shell scripting is a powerful tool in any developer’s toolkit, but it has many surprising issues that can lead to security vulnerabilities and maintenance headaches. Fortunately, tools like ShellCheck offer a robust way to detect and fix these common problems. Let’s explore some typical shell script challenges and how ShellCheck can help resolve them.

Unquoted Variables: A Common Source of Bugs

One of the most frequent mistakes in shell scripting is the failure to quote variables. Consider this simple example:

file_list=$(ls $directory)

At first glance, this seems harmless. But what happens if $directory contains spaces or wildcards? It leads to unexpected behavior and potential security issues. ShellCheck identifies these risks and suggests a safer alternative:

file_list=$(ls "$directory")

Handling Command Substitutions

Command substitution, using backticks (`) or $(...), is a staple in shell scripting for capturing the output of a command. However, it’s easy to overlook the implications of its usage in different contexts. For instance:

file_count=`ls -l | wc -l`

This might work, but ShellCheck would flag it for two reasons: potential word splitting and the more modern $(...) syntax. A better approach is:

file_count=$(ls -l | wc -l)

The Perils of Using eval

The eval command is incredibly powerful, but with great power comes great responsibility. eval executes a string as a shell command, making it highly susceptible to code injection. For example:

eval "some_command $user_input"

If $user_input is not carefully sanitized, it can lead to serious security breaches. ShellCheck warns against the use of eval and suggests safer alternatives, like using arrays or dedicated parsing functions.

Globbing and Word Splitting Woes

Globbing (wildcard expansion) and word splitting are features of the shell that, if misunderstood, can lead to scripts behaving in unexpected ways. Consider this example:

rm -rf $files_to_delete

If $files_to_delete contains wildcards or spaces, this could lead to disastrous results. ShellCheck advises explicitly handling these cases, often suggesting the use of arrays and quoting:

rm -rf "${files_to_delete[@]}"

ShellCheck: Your Scripting Partner

ShellCheck isn’t just a bug detector; it’s a teaching tool. By incorporating its suggestions, developers not only fix their scripts but also learn better scripting practices. It’s a valuable asset for both new and experienced shell scripters.


Shell scripting, while powerful, is laden with subtleties that can trip up even the most seasoned developers. ShellCheck serves as a vigilant guardian, helping to navigate the nuances of shell scripting. By highlighting common issues and offering secure remedies, ShellCheck ensures that your shell scripts are not only functional but also robust and secure.

Remember, the best way to learn is through practice and reflection. Use ShellCheck as a guide, but also take time to understand why certain practices are recommended. This approach will greatly enhance your scripting skills and contribute to your overall development expertise.

About PullRequest

HackerOne PullRequest is a platform for code review, built for teams of all sizes. We have a network of expert engineers enhanced by AI, to help you ship secure code, faster.

Learn more about PullRequest

PullRequest headshot
by PullRequest

December 14, 2023