detect possible option injection

[pabs3]

Please detect possible option injection. This is when variables or wildcards lead to passing strings to commands that are then interpreted as options for those commands. This can result in incorrect behaviour from commands or in some cases arbitrary command execution. The canonical security paper on this is Back To The Future: Unix Wildcards Gone Wild by Leon Juranic. The Bash Pitfalls wiki page also describes this problem.

For new checks and feature suggestions

• [x] I was unable to check https://www.shellcheck.net/ because it requires JavaScript
• [x] I searched through https://github.com/koalaman/shellcheck/issues and didn't find anything related

Here's a snippet or screenshot that shows the problem:

#!/bin/sh
cp "$1" "$2"
for f in * ; do
    cp "$f" /target
done

Here's what shellcheck currently says:

Nothing.

Here's what I wanted or expected to see:

shellcheck should warn that options may be injected into the cp commands.

Here are three different correct ways to do things:

#!/bin/sh
cp -- "$1" "$2"
for f in ./* ; do
    cp "$f" /target
done

#!/bin/sh
cp -- "$1" "$2"
for f in * ; do
    cp -- "$f" /target
done

#!/bin/sh
cp -- "$1" "$2"
for f in * ; do
    cp "./$f" /target
done

[pabs3]

I just found that SC2035 exists to check that globs don't become options, but I note that it does not get triggered by the above code. So probably SC2035 needs to get expanded to cover the above cases.