---
title: Avoid eval on list expansions ($@ and ${name[@]})
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Avoid eval on list expansions ($@ and ${name[@]})
---

# Avoid eval on list expansions ($@ and ${name[@]})

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `bash-security/avoid-eval-on-list-expansions`

**Language:** Bash

**Severity:** Error

**Category:** Security

**CWE**: [78](https://cwe.mitre.org/data/definitions/78.html)

## Description{% #description %}

List expansions expand to multiple words—chiefly `$@` (positional parameters) and `${name[@]}` (array elements). Feeding those into `eval` runs another round of shell parsing on the expanded words, so quoting and word boundaries can shift in dangerous ways and open the door to command injection (CWE-78).

Prefer fixing the data flow, calling commands without `eval`, or restructuring so each argument is handled safely without another round of shell parsing.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```bash
#!/bin/bash
eval "$@"
eval "${files[@]}"
eval $@ foo
eval ${arr[@]}
```

## Compliant Code Examples{% #compliant-code-examples %}

```bash
#!/bin/bash
eval "echo hello"
eval "$foo"
eval "${arr[0]}"
printf '%s\n' "$@"
cmd "$@"
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}