Robbed Of My Glob

Published February 4, 2021

Bash is full of footguns. I hit another. 🦶🔫

Let me set the stage: for my portfolio-style website,, I have it virtually self-hosted on a DigitalOcean instance. It’s a pretty simple setup with NGINX serving the static files and Let’s Encrypt handling the certificates to enable HTTPS. It’s been on my list to revist how I host it—Caddy might make sense or maybe I’ll move it entirely to Netlify.

At any rate, I was idly doing some search engine queries to see what my site looked like to search engines. It’s static with pretty minimal content so it’s easy enough to verify by hand. It’s also the entrypoint” to my online presence—there’s a non-zero amount of traffic that comes from that domain to this blog. To my dismay, I noticed a file that shouldn’t be indexed: an old resume from a different folder structure. Even more worrisome was it was still live so somehow my deployment script wasn’t working as expected.

The last logical step to my script is a rm and cp sequence. The rm looked like:

rm -rf "$www_dir/*"

Immediately, I decided to run shellcheck. That led me to SC2115:

- rm -rf "$STEAMROOT/"*
+ rm -rf "${STEAMROOT:?}/"*

OK, that makes sense, don’t want to run rm -rf /*.

— me

And then it hit me: the * glob wasn’t being expanded because it’s in double quotes! The corrected line looks like:

rm -rf "${www_dir:?}"/*

Extra Bonus™: that initial (bad) line of code had been like that since 2016. 🙃

Last modified February 4, 2021  #bash 

← Newer post  •  Older post →