---
title: Guard rm when unset variable expands to filesystem root path
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST
  Rules > Guard rm when unset variable expands to filesystem root path
---

# Guard rm when unset variable expands to filesystem root path

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**ID:** `bash-security/guard-rm-rf-variable-paths`

**Language:** Bash

**Severity:** Error

**Category:** Security

**CWE**: [73](https://cwe.mitre.org/data/definitions/73.html)

## Description{% #description %}

A pattern like `rm -rf "$DIR/"*` deletes files under `$DIR`. If `$DIR` is empty, the quoted part becomes nothing and the glob can expand from the filesystem root, with catastrophic effect.

Use a form that fails when the variable is unset or empty, for example `rm -rf "${DIR:?}/"*`, or assign and validate the path before running `rm`.

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```bash
#!/bin/bash
rm -r -f "$STEAMROOT/"*
rm -rf "$STEAMROOT/"*
rm "$STEAMROOT/"*
rm -rf "${build}/"*
```

## Compliant Code Examples{% #compliant-code-examples %}

```bash
#!/bin/bash
rm -rf "${STEAMROOT:?}/"*
rm -rf /tmp/safe
rm -rf "$HOME/dir"
rm "$HOME/dir"
```
  Seamless integrations. Try Datadog Code SecurityDatadog Code Security 
{% icon name="icon-external-link" /%}